How Managed Threat Hunting Services Can Revolutionize Your Security

As I meet with security leaders to discuss their security operations capabilities, I find a focus on monitoring, event management, and vulnerability management. If organizations conduct threat hunting, they are conducting situational hunts, missing the opportunity to identify undetected compromises using structured and unstructured hunts. This document will discuss threat-hunting, its benefits, how it is conducted, the challenges, and how a managed threat-hunting service can be effective and inexpensive.?

"In modern warfare, it is not just the firepower that matters; it is the intelligence and skilled personnel behind that power. Without adequate resources for threat hunting, we leave ourselves vulnerable to unseen adversaries." — General (Ret.) Keith Alexander, former director of the National Security Agency (NSA) and U.S. Cyber Command

Threat Hunting is a proactive, human-driven approach to detecting cyber threats within an enterprise. Threat hunting actively seeks signs of malicious activity that may have evaded other security tools. Threat hunters hypothesize about potential attacks, analyze data from across the enterprise, and look for subtle indicators that suggest an ongoing compromise.?

Three (3) types of threat hunts consisting of:

• Structured: Based on known Indicators of Compromise (IoC) or Tactics, Techniques, and Procedures (TTP), this type of hunt leverages information from threat intelligence sources to detect specific patterns or behaviors.
• Unstructured: A hypothesis-driven approach where threat hunters use their intuition and experience to search for anomalies or behaviors that may indicate malicious activity.
• Situational: Triggered by specific events such as a breach in a similar organization or an alert of a newly discovered vulnerability that could affect the organization.

Importance of Threat Intelligence (TI)

A threat hunt starts with understanding your organization's IT enterprise, vulnerabilities, and potential targets. The second step is understanding your adversary, its objectives, and TTPs.

"If you know the enemy and know yourself, you need not fear the result of a hundred battles." Sun Zu "Art of War"

When setting up threat feeds for an operations center, we evaluated services and platforms. More did not necessarily mean better. In fact, we determined that the four thread feeds, although partially redundant, provide excellent insights. TI does not have to break the bank. Many free, open-source platforms could be used to get you started. For sophisticated threat hunt teams, it is preferable to purchase feeds from companies.

TI aims to help organizations understand current and emerging threats and provide actionable insights to defend against them. Depending on the specific goals and context, threat intelligence can be tactical, operational, strategic, or technical. TI supports threat hunters by providing the following:

• Context: Knowing which threats are most relevant to the organization.
• Indicators of Compromise (IoCs): Data points that signify malicious activity, such as IP addresses, file hashes, or URLs.
• Tactics, Techniques, and Procedures (TTPs): Information about how attackers operate, helping hunters to anticipate and detect their moves.

TI information is a critical source for conducting an effective threat hunt, and if it is effectively used, it is essential for identifying and defending your enterprise.

Benefits of threat hunting

Threat hunting, compared to reactive approaches that rely on automated tools to detect known threats, such as antivirus software or intrusion detection systems, offers a manual and analytical investigation using both automated tools and human expertise. ?

"Threat hunting helps organizations move from a reactive security posture to a proactive one, closing gaps before they're exploited." — Theresa Payton, Former White House CIO

Key benefits of conducting threat hunting are:

• 84% of organizations report that threat hunting has improved their detection of advanced threats. CrowdStrike.? 2022 Global Threat Report.
• 76% of companies using threat hunting reduced their attack surface and incident response time. SANS Institute. (2021). 2021 Threat Hunting Survey. 2021-SANS-Threat-Hunting-Survey-Report.pdf
• A 50% reduction in dwell time (the time a threat lingers in a network before detection) was achieved by companies with a dedicated threat-hunting team. FireEye. (2020). M-Trends 2020: A View From the Front Lines. M-Trends Report - 2020
• 33% reduction in the overall cost of a breach when threat-hunting teams are involved. Ponemon Institute. (2021). The Cost of a Data Breach Report 2021. Cost of a Data Breach Report 2021

Top Challenges for Successful Threat Hunts

While threat hunting is a powerful proactive security measure, it comes with several challenges that can make it difficult for organizations to implement and fully gain value from the capability. Some of the top challenges include:

Organizations face several challenges in maintaining effective threat-hunting operations. A significant issue is the lack of skilled personnel, as finding experienced threat hunters proves difficult, resulting in high recruitment and training costs. Incomplete data visibility is another obstacle stemming from limited data collection across endpoints or networks, which may require infrastructure upgrades to address. Additionally, many organizations manually track threat-hunting efforts, necessitating the implementation of commercial tools to efficiently document and monitor their progress. The constantly evolving threat landscape, with adversaries adapting tactics, demands continuous monitoring tools to keep defenses current. Lastly, tool integration issues present medium-level challenges, as combining multiple security tools can be time-intensive and labor-intensive, increasing operational complexity.

Conducting threat hunts

Threat hunting is a proactive approach to identifying potential security threats that may have bypassed traditional defenses. It involves searching for indicators of compromise (IoCs) or attacker tactics, techniques, and procedures (TTPs) within a network before they cause significant damage. The success of a threat hunting operation depends on a well-structured process, the right people, relevant information, and the appropriate tools. Below is a detailed approach to conducting threat hunting.

The threat hunting process can be broken down into a structured cycle. The most common approach is the "Hunt, Detect, Analyze, and Respond" model, using the MITRE ATT&CK framework.

Several critical activities are carried out in threat hunting operations to proactively identify and mitigate potential security threats. The process begins with Hypothesis Generation, where analysts hypothesize potential attacker behaviors or vulnerabilities based on threat intelligence reports, past incident analysis, and anomaly monitoring data. Once a hypothesis is formed, the next step is Data Collection and Preparation, where relevant information is gathered from various sources, including system, network, application logs, EDR logs, network traffic, SIEM data, and threat intelligence feeds.

With the data in hand, analysts proceed to the Hunting/Investigation phase, actively searching for signs of malicious activity using the hypothesis as a guide. This involves analyzing historical logs, monitoring real-time alerts, leveraging anomaly detection systems, and referencing threat intelligence and known tactics, techniques, and procedures (TTPs). In the Detection and Hypothesis Validation phase, anomalies or indicators of compromise (IoCs) are identified and validated using IoC databases, historical data analysis, anomaly detection tools, and YARA rules.

Once potential threats are detected, the Analysis and Prioritization phase focuses on understanding the scope, severity, and impact of the threats by analyzing security logs, threat intelligence, incident reports, and baseline network data. Following this, the team moves into Response and Remediation, taking swift action to contain and eliminate the detected threat through incident response plans, forensic data, and system logs.

Finally, the Documentation and Reporting phase ensures that all findings, actions taken, and lessons learned are properly documented. This creates a record of incident reports, performance metrics (such as time to detection and containment), and valuable insights that contribute to continuous improvement in threat hunting efforts.

Threat hunting as a service benefits

Subscribing to a threat hunting managed service can provide numerous benefits, particularly for organizations lacking the in-house resources or expertise to perform proactive threat hunting independently. A Managed Service Provider (MSP) with expertise in threat hunting can offer access to advanced capabilities, reduce operational burdens, and significantly improve an organization's security posture.

Engaging managed threat hunting services offers several key benefits that enhance an organization’s security posture. First, Access to Expertise and Skilled Resources ensures that businesses can leverage the knowledge and experience of highly trained threat hunters familiar with advanced tactics, techniques, and procedures (TTPs). This eliminates the need to hire, train, and retain in-house experts, reducing staffing challenges while improving threat detection and hunting capabilities.

Additionally, these services offer Cost Efficiency by being more affordable than building and maintaining an internal threat hunting team. Organizations avoid significant investments in tools and personnel, making cutting-edge threat detection available even to those with limited budgets. With access to Advanced Tools and Technology, companies benefit from top-tier solutions like Endpoint Detection and Response (EDR), Network Detection and Response (NDR), Security Information and Event Management (SIEM) systems, automation and orchestration tools, and AI-powered analytics. These technologies enhance detection and investigative capabilities while bypassing the complexity of deploying them in-house.

Managed services also provide Continuous Improvement, evolving hunting techniques to address emerging threats and incorporate the latest research. This ensures defenses remain up-to-date, reducing the risk of falling victim to attackers using new TTPs. Furthermore, Faster Time to Implement means these services can be quickly onboarded, delivering immediate threat-hunting benefits without long deployment cycles. As a result, organizations gain advanced threat detection capabilities promptly, improving their ability to respond to evolving security challenges.

Conclusion

Despite its advantages, organizations face several challenges in implementing effective threat-hunting practices. Issues such as a shortage of skilled personnel, incomplete data visibility, lack of tracking, automation, orchestration, and the evolving threat landscape can hinder efforts. However, these challenges can be mitigated through collaboration with managed threat hunting services. By leveraging these services' expertise and advanced technologies, organizations can enhance their threat detection capabilities while reducing operational burdens and costs.

In conclusion, threat hunting is not merely a security operation but an essential practice transforming an organization's cybersecurity approach. By embracing a proactive mindset and investing in effective threat hunting strategies, organizations can safeguard their assets and foster resilience in the face of an ever-evolving threat landscape. The journey towards a robust security posture begins with understanding the adversary and actively hunting for threats. This ensures that organizations are not just reacting to incidents but are prepared to defend against them preemptively.