Traditionally my inquiry calls at Gartner, centre around Detection and Response Services. How to find bad stuff, who is good at reporting and responding bad stuff and so on. But more recently the topic of threat hunting keeps coming up. With differences of opinion, not only from client and vendors but also amongst the analyst community here at Gartner I find myself pondering the question, “What actually is Threat Hunting?”
Threat Hunting is a Service, right?
If there is one thing I know well, that’s managed security services. Therefore, I can confidently say that threat hunting is NOT a service. Nobody ever said I want to buy some of that ‘threat hunting’ stuff. Buyers of security services should focus on outcomes, outcomes are based on a threat hunts being successful. Services that offer threat hunting as a value add or as a differentiator, well that’s different. We need to be asking our service providers about the processes they use and how these will benefit us as consumers.
Buying an intelligence-led security service? It’s pretty certain the vendor will be using threat hunting techniques. If they aren’t, then you have to ask yourself; what makes this service overly different from what the technology is providing without the provider? If they say their threat hunting is ‘automated‘ chuckle nervously and slowly back out of the room…
Maybe Threat Hunting is Just a Process?
This is the camp I sit pretty squarely in. In most SOC’s, the process of investigating alerts is actually threat hunting. Granted, many of us aren’t doing a complex job when we process alerts from a SIEM or from an equally expensive security technology. But as long as we are investigating, trying to; understand the reason for the issue, identify a path to resolution and make sure we responded, that’s hunting, right?
The core ambition of all security ops teams should be to improve their threat hunting processes, just because your process is immature or simple, doesn’t mean you aren’t hunting. This central process is the engine for the vast majority of other functions that the SOC is responsible for:
- Creation of Detection Content
- Interpretation of Threat Intelligence
- Understanding of the Impact of Vulnerability Exposure
- Incident Investigation
- Incident Response Management
Can Security technologies Automate Threat Hunting?
I’ve heard two terms lately, “Automated Triage” and detection technologies that “Never Miss Anything”. Honestly, I have never heard so much ‘codswallop’ in all my life.
When I started out in SOC operations there was definitely a drive towards a few main things. Become more efficient at the delivery process. Be more accurate with incident detail for issues that we were already identifying. Create more head-space to keep the SOC innovating in-line with the pace of the attacker’s development team. Of course, there were events that were binary, things that required us to do the same thing, again and again. Such repetitive, simple issues can have their identification and response automated, but in reality, these attack techniques are going to go out of fashion with attackers pretty quickly if they begin to fail.
Elements of detection and response can be automated, of course. But what about the process by which that detection and response evolves? That process needs a clear understanding of the infrastructure you use to operate your business, whether that means data from cloud, network logs or endpoint. It needs an interpretive view on what matters to you, what will have the biggest impact.
Threat Hunting, is a process which guides your SOC to think outside of the box. Can that truly be automated?