Cyber threat hunting helps organisations identify security threats that could or are infiltrating their initial security defences. Typically, organisations have a defensive strategy when dealing with cyber threats, implementing solutions like firewalls, endpoint protection, email security, web security, etc. However, organisations have started to proactively hypothesise and identify cyber threats that may lie lurking in their networks, this is known as cyber threat hunting.
Our previous blogs talked about what threat hunting is, the overall threat hunting process, and threat hunting benefits. However, as interest in threat hunting increases among organisations, so have the misconceptions surrounding it. This article aims to shed some light on seven common misconceptions regarding threat hunting:
There is a general misconception that threat hunting can be fully automated using artificial intelligence i.e. threat hunters can be replaced with AI technology. This is an unreasonable expectation as artificial intelligence has not evolved to be self-aware to decipher human psychology, one of the key factors that make threat hunting successful in predicting how cybercriminals behave. In this aspect humans still do a much better job than AI.
Many organisations believe cybersecurity practises like threat hunting is a one-time exercise that identifies all possible threats in an environment. Threat hunting should be a continuous process and made a permanent part of an organisation’s cybersecurity strategy. Even if a threat hunter initially fails to identify any anomalies in the environment, repeated exercises can help the hunter improve results based on previous hunting exercises and develop new hypotheses on indicators of compromise in the wild. Even a single anomaly can cost an organisation millions, therefore continuous threat hunting exercises should be implemented in an organisation’s cybersecurity strategy.
There is some truth to the statement that anyone in your organisation’s IT department, with a certain level of skills and experience, can conduct a threat hunting exercise and may even have some success in identifying threats. However, doing it at a granular level requires specialised skills and a level of education that an IT employee won’t usually have. For example, analytics, security information and event management tools require a level of knowledge to be effectively used. The skill required to test a hypothesis, investigate a potential threat and collect actionable data requires the experience of a threat hunter.
Threat hunting isn’t only about discovering attacks that have already occurred or are occurring in the environment such as malware installed in systems or compromised accounts. These activities should rather be considered as the requirement of a security analyst team or an incident response team once identified, which a threat hunter should be part of. Organisations have much to gain by identifying and hunting potential threats or attacks that are in the wild and their impacts on the organisation’s environment. A large number of attacks rely on lateral movement through accounts to provide attackers with any value. Regardless of what is identified, during a threat hunting exercise insights will be provided into how a company’s cybersecurity efforts can be improved.
Although there are some similar concepts between penetration testing and threat hunting, these cybersecurity practises have different objectives. A penetration test is an authorised attempt to hack and gain access to an organisation's data assets acting as an outside malicious actor. Its purpose is to identify exploits so that they can be rectified before any potential cyber attack. On the other hand, threat hunting is focused on identifying threats (potential or ongoing) that penetration tests may not have picked up internally. Simply put, penetration tests are utilised to identify exploits before a real attack and threat hunting is used by organisations to find potential or ongoing activities and anomalies that may be considered threats. In some cases, the penetration testing teams and threat hunting teams will be paired against each other (Red vs Blue) to test an organisation’s cyber capability and resilience. Both these practises used hand in hand can greatly uplift an organisation’s cybersecurity posture.
Threat hunting involves scrutinising a large amount of data which is impossible to do without powerful tools. Threat hunters rely on a number of analytical tools to help with identifying malicious activity. As mentioned in the above point, similar to how threat hunting cannot be entirely automated, it isn’t an entirely manual process either. Threat hunters use technology to complete various activities.
With a limited budget for cybersecurity, organisations may not recognise the importance of threat hunting over implementing traditional information security defences that are typically automated. Threat hunting doesn’t always produce results, with some sessions leading to little to no results, however, occasionally a threat hunting exercise may lead to identifying attack vectors that automated detection software might have missed. Some of the most advanced and elaborate threats are designed to get past perimeter defences and can cause serious damage to an organisation. A threat hunter can detect malicious activity that could evade an organisation's initial defences. Therefore, the element of human understanding should be a critical component of every organisation’s cybersecurity strategy.
Does your organisation practice active threat hunting? StickmanCyber's threat hunting services can help you become more proactive when it comes to cybersecurity and detect and prevent cyber threats before they impact your business.