I wrote a post on threat hunting back in 2020, Weird Hunting Analogy and Machines vs Humans, addressing the definition of hunting, where it fits in the SecOps program and if it can be fully automated. The title sounds more like a Quentin Tarantino movie, but I received quite a bit of positive feedback on it, particularly from people a lot smarter than me and true big game hunters. As time has progressed, I have taken hundreds of inquiries on threat hunting, detection and incident response. Something started to materialize in what I was hearing from security leaders and operators that aligns to the disagreement in the industry about the definition of threat hunting and the different perspectives on it.
Play Nice Kids
I came to the realization that both sides are right. It is really a matter of a context, timing and threat landscape understanding that is driving an organization and/or individual’s definition of what threat hunting is, to them. There is a lot of arrogance and belittling in the industry around this, among many other things, but I digress.
I cannot deliver too much on this because I am waiting for a live Webex to be scheduled so I can give the presentation I created for Gartner SRM DC 2022 on this topic. Unfortunately, I got sick and was unable to deliver it to the 227 attendees who signed up for the session. However, I want to socialize this to gain some interest and visibility before the full delivery.
As a teaser and to help eliminate this futility about threat hunting definitions, there are two categories of threat hunting. They are both pertinent and which ever you are conducting depends on your understanding of the threat landscape, what threat intelligence you have and the timing of threat actor activity against your organization.
Pre-Knowledge Threat Hunting
The unknown unknowns. To go where no security analyst or incident responder has gone before. This is the leet sauce of SecOps where hunters are walking around in a dark room looking for a creepy clown. This is the pinnacle of SecOps threat detection capability where you get to use PhD words like hypothesis. Sorry, that is all I can share right now so you’ll have to wait for the webinar or meet me in a dark bar.
Post-Knowledge Threat Hunting
Honestly, this is what most organizations are aligning to. To let you in on a dark secret, this is most likely what your security service providers is really doing, not that there is anything wrong with that…unless you were expecting creepy clown detection. This is receiving tips and indicators from your threat intel sources and teams, aka post knowledge, learning you have no rules in place for detection and doing a historical search to determine if something bad has already hit you. There is also an aspect of this using threat intelligence to look for things you cannot write a detection rule for and I think there is where the cyber security 1% start getting pedantic.
As my sign off, I submit to you all that maybe we need to reframe our description and categorization of looking for what are unknown threats to any of us at any given time. Hunting often implies a known target and you prepare for what you are going after with the right equipment, which makes Threat Hunting a great match to describe post-knowledge. Maybe the better term to describe pre-knowledge is Threat Discovery.