Security and IT teams may be loath to admit it, but security has historically been mostly a reactive affair. Security engineers monitored for threats and responded when they detected one. They may have also taken steps to harden their systems against breaches, but they didn’t proactively fight the threats themselves.
That is changing as more and more teams add threat hunting as one pillar of their cybersecurity strategies. By enabling an active, systematic approach to threat detection and remediation, threat hunting helps organizations stay a step ahead of threat actors and minimize the number of actual incidents they have to react to.
Keep reading for a primer on threat hunting, its role in modern security operations, and how to integrate threat hunting into your security strategy.
What Is Threat Hunting?
Threat hunting is the proactive detection and remediation of cybersecurity threats. When you perform threat hunting, you go out and search for threats before they have even appeared on your network or otherwise touched your systems. This makes threat hunting the opposite of a passive security strategy in which teams monitor environments for active threats, and only then respond.
Threat Hunting Example
There are a variety of threat hunting techniques, which are detailed further below. But as a simple example of threat hunting, think of a security team that sets up a honeypot – meaning a software environment that is designed to look like a real target, but is populated with “dummy” data and applications rather than anything sensitive – in order to lure in attackers.
When attackers attempt to reconnoiter or break into that environment, they expose their identities and techniques. In turn, threat hunters can take steps to block the attackers from accessing any of their systems, and to harden their environments against the methodologies that the attackers use.
The Importance of Threat Hunting
The chief advantage of threat hunting, which is a relatively new technique that has become popular in recent years, is that it allows organizations to detect and mitigate threats before their systems are even touched.
As noted above, most classic security strategies are reactive and passive. If you use a SIEM to monitor for security events, for example, or you use auditing tools to check your access control policies and other configurations for potential vulnerabilities, or you use container image scanners to check for malware in your applications, then you can only detect threats that are already present and active – to some degree, at least – inside your environment.
There is a chance that damage has already been done at that point. A container image containing malware could already have been deployed, for instance, or an insecure IAM policy may already have exposed sensitive data. Given that it takes 207 days on average for organizations to identify active breaches, waiting until the attackers are already inside before you can even start looking for them is hardly an ideal strategy.
With threat hunting, you can stop the threats before attackers have the potential to do any damage. Threat hunting helps keep attackers as far away from your systems as possible (unless, of course, you deliberately set up a honeypot) so that you can remediate threats from a distance, so to speak.
An additional benefit of threat hunting is that it can help teams detect threats that they otherwise would not think about. Attackers are always learning new tricks, and it’s impossible to anticipate every type of attack or exploit that they may launch against your systems. By allowing your team to profile and study threat actors and their techniques, threat hunting alerts you to new attack strategies that you may not be thinking about when writing monitoring rules or deciding how to harden your environments.
How Does Threat Hunting Work?
Threat hunting can be broken down into several stages:
Planning: First, organizations identify the types of risks they want to monitor for. Again, you can’t anticipate every type of threat with certainty, but you can decide which types of assets within your IT estate are at greatest risk, as well as which general types of threats (like insider attacks or DDoS attacks) you want to defend against proactively.
Data collection: After deciding what to protect against, organizations collect data to help them understand and detect threats. This data may include internal systems information like logs, which help teams understand where their vulnerabilities lie. It can also include threat intelligence data, which details information about different types of threat actors and their strategies.
Threat detection: With threat data on hand, the team can devise a plan for detecting threats in the wild. There are many possible techniques to use here: You could use a honeypot to attract attackers. You could look through network logs for signs that someone has been trying to scan your network, then use that data as a starting point for profiling the attackers. You could look at your software supply chain for signs of interference by malicious parties.
Threat remediation: After you’ve identified a threat, you can take steps to remediate it by blocking the threat actors from your environments and mitigating their preferred methods of attack. For instance, if you conclude that the threat actors are trying to deploy compromised images in your container registry, you can lock down access controls to prevent them from interacting with the registry, while also ensuring that new images are scanned immediately so that if a bad image does sneak in, you’ll catch it before creating containers based on it.
Retrospective: After you’ve responded to a threat, take time to evaluate whether similar threats pose a risk to your business and what you can do about them. You should also consider the extent to which your pre-existing defenses would have kept you safe from the threat, had you not blocked it before attackers began actively attempting to breach your environment. If you find that your threat hunting is unveiling threats for which you were totally unprepared, it’s a sign that you may need to invest more in hardening your systems in general, or at a minimum plug the specific identified gaps.
Threat Intelligence vs. Threat Hunting
As noted above, threat intelligence data is one resource that teams typically rely on when performing threat hunting. However, threat intelligence is not the same as threat hunting.
Threat intelligence is information about potential threats – what attackers’ motivations and end-goals are, which techniques the attackers use, which systems are at risk, and so on – that is useful for understanding the scope and nature of a threat.
In contrast, threat hunting is the process of using threat intelligence data, combined with other insights and tools, to detect and respond to threats before they compromise the business.
Threat Hunting’s Role in Modern Security
Threat hunting helps organizations take a proactive approach to security. But it’s not a substitute for other types of security operations.
Because threat hunting won’t detect every type of threat, it’s critical to monitor for active threats inside your systems as well. Thus, threat hunting won’t replace your endpoint security, network firewalls, identity access management tools, nor your SIEM. You also still need to monitor your on-prem and public cloud logs for signs of compromises.
It’s also essential to perform regular security audits in order to determine what your weakest points are and plan continuous improvements to your security posture over time. Threat hunting may help identify some vulnerabilities that you have not previously thought about, but it’s not a substitute for comprehensive security audits.
That said, threat hunting can and should play a central role in helping you to contextualize and assess security issues detected via other means. If you find and remediate an active incident inside your environment, for instance, threat hunting can help you determine whether other attackers are planning similar attacks. Or, if you detect a compromise but need more information about which systems were affected and how the attackers are likely to proceed, you can glean context from the threat intelligence data you maintain to support threat hunting.
In a world where threats are growing more complex and unpredictable every day, and where businesses continue to struggle to detect compromises before attackers have already wreaked havoc inside their systems, threat hunting provides a means of preventing attackers from ever touching your systems. In this way, threat hunting serves as a vital complement to other security strategies that are less proactive and less well suited to detecting vulnerabilities before a serious incident has already occurred.