What’s hunting and is it worth it?
The value of hunting is a source of ongoing conversation and debate within the security industry. For some, hunting is a no-brainer, while others have intentionally delayed the adoption of this more novel approach to security.
Why the debate? A few reasons.
First, there are a lot of misconceptions and conflicting views about what hunting is and how it should be implemented. That’s because there isn’t an industry-adopted definition of hunting.
Then there are the limited expertise, competing priorities, and organizational tensions that impact security teams’ ability to adopt an effective hunting program. Not to mention the budget constraints that exacerbate the issue by forcing some orgs to rely on the bare minimum to secure their infrastructure – either delaying the adoption of a hunting program or implementing one that’s sub-optimal.
Expel has taken a side in this debate.
In this blog post, I’m going to explain what hunting is, the value it provides, and share how we use hunting here at Expel.
TL;DR: Hunting is the act of proactively looking for threats and/or anomalous activity in an environment that may have been missed by your security tools.
But, like I mentioned, you won’t find an industry agreed-upon definition of hunting today, which can lead to misunderstandings about what hunting is and who does it.
For example, hunting efforts focused strictly on retrospective data analysis using known indicators of compromise (IOCs) after a large-scale attack or hunting services that are primarily automated are often marketed as a comprehensive hunting solution. But they often fall short on the scope, visibility, and reach you can or should expect from proactive hunting.
At its core, hunting is scientific, rooted in the practice of setting up an experiment to test a hypothesis. Hunting ‘experiments’ are based on both known and unknown attacker behaviors. Hunting ‘hypotheses’ are based on the assumption that bad actors slipped past your detections. Hunting ‘tests’ involve analyzing a large set of data (your raw logs) over a period of time (30 days for us) and focus on abnormal behaviors and patterns.
Hunting is complex. It requires experienced talent, a dash of creativity, and effective tools. It also requires the time and space to effectively implement and maintain a threat hunting program. This can prove challenging for many orgs, especially those still struggling to understand the value or benefits of hunting.
On top of that the low number of results typically found in a hunting exercise is a good sign for secure environments, but can lead to a low perceived value of hunting.
Despite these challenges, security-forward companies have recognized the growing importance of threat hunting, and those who have implemented hunting programs find themselves ahead of the next attack instead of waiting for it.
The benefits of hunting
In our experience, there are characteristics of a mature hunting program that bring numerous benefits to organizations, including but not limited to:
- Helping uplift existing SOC detections by focusing on finding behaviors that are missed by existing security tools.
- Over time, enhancing existing tools with new and novel detection patterns.
- Further validations for the existence of an incident.
- Improving the overall quality of existing threat intelligence (like data) by helping shape threat intelligence research efforts.
- Helping to alleviate management anxieties by providing greater coverage of monitoring and analysis throughout the infrastructure.
With Expel, for example, we’ve enabled several enterprise customers to move beyond simply focusing on IOC-based hunts in one environment (which is still important) to extending their threat hunting coverage across their environment with a larger, diverse set of hunting techniques.
From our perspective, the benefits of hunting are many. Some of our favorites include:
- Attention to both known and unknown threats.
- Reduced attacker dwell times (time spent undetected in the environment)
- Faster time to containment.
- Minimized risk of lateral movement, spread, and exfiltration.
- A full view (beyond threats) that helps you better understand your environment
And we’re not the only ones that feel that way.
An increased number of industry experts, research studies, and reports mention or highlight the benefits of hunting. NIST’s latest publication (Rev5) of NIST SP 800-53 acknowledges the usefulness of hunting to help identify evolving threats and, for the first time ever, introduced a control for threat hunting in section RA-10.
This change tells us that orgs are starting to understand the significance of threat hunting. Yet many orgs struggle with finding the talent, time, or resources to hunt full-time, which makes prioritizing threat hunting especially difficult.
Why Expel loves hunting
Here at Expel, we believe there’s another potential benefit to hunting that’s frequently overlooked.
Beyond identifying evolving threats, hunting is great for gaining more visibility into how your infrastructure (on-prem and/or cloud) is working (or not working). We consider this one of the most valuable features of our hunting service and include it in our hunt findings report as an added bonus.
Expel reports this information in a dedicated ‘Insights’ section of our hunt findings report. We examine our customers’ workings and identify areas that need attention, like misconfigured tools or other unnecessary operational costs they’re incurring.
We also use these insights in a few other ways. For one, insights help set a baseline understanding of what’s going on in your environment. Second, they can help break down communication silos between teams in your org to build a common understanding of your infrastructure.
Finally, insights highlight important operational information your team should be aware of, ranging from security to compliance to operational issues that are increasing costs, like large unidentified elastic compute cloud (EC2) instances.
And while these insights give you a better understanding of your infrastructure, they also enhance our unique context for our customers’ orgs that we then use to improve our detection strategies for their specific environments.
So, is it worth it?
Research shows that hunting is quickly growing in importance and becoming a staple of a strong security strategy.
Expel’s chosen ‘side’ is this: we fully believe in its benefits to not just identify evolving threats, but also to give you a better fundamental understanding of your environment.
The next time someone asks if it’s worth it, here’s the real value of hunting:
It’s the best way to stay ahead, mitigate your overall exposure (for example, reduce dwell time which is the time an attacker spends undetected in your environment), and give you a stronger chance of catching bad actors that have slipped past your security tools. Hunting enhances the visibility of your environment and provides an extra layer of protection that can prevent catastrophic damage.
But keep in mind that developing a hunting strategy and capability is a time-consuming investment that requires a lot of resources. And even mature security teams might need threat hunting support to hunt efficiently and effectively.
If you’re currently evaluating a hunting service (or thinking about it after reading this blog post), check out this impact report for buyers.