This post was originally published here by David Bianco.
You’ve probably heard this a million times now: “You need a hunt team”. This is true, as far as it goes, but why? For most people, the initial answer is probably something close to this: “So we can find bad guys on our network”. Again, this is true, but would it surprise you learn that finding the bad guys is probably the least important reason to have a hunt team?
The Big Three Reasons
Although there are probably as many reasons to have a hunt team as there are organizations who have them, I think the three most important reasons are:
To identify new security incidents
To improve automated detection
To drive skills sharing and mentorship within the security team
Let’s look at each of these in more detail.
Identifying New Security Incidents
As I mentioned earlier, this is probably the #1 reason any hunting ever gets done. It’s a basic tenet of information security these days that prevention eventually fails, allowing intruders into the network. That’s why we see so much emphasis on detection and response as a backstop. We essentially make it as hard as practical for an intruder to operate in our environment, and then try to look for instances where our protections have failed. If we take this to the next logical step, we’ll see also that detection eventually fails, too. That is, no matter how good they are, we are essentially setting static detection systems to combat agile threat actors. While this can work in the short-term, it’s not good to rely on this as a long-term strategy.
Instead, we hunt. We define hunting as a process that inherently involves humans in some capacity, posing and testing hypotheses designed to identify new types of security incidents, or existing types that we hope to discover in new ways. This allows us to counter our agile adversaries with agile defenders, leveling the playing field a bit.
Improving Automated Detection
It’s great that we can use threat hunting to find new security incidents, but there’s a problem with that: scale. Humans are great at finding new ways to attack problems but we have difficulty keeping up with the deluge of data coming out of even moderately-sized organizations. Humans just don’t scale to the enterprise.
Fortunately, there’s a smarter way to both innovate and scale, which is to turn the results of successful hunts into automation. Automating our successful hunts provides two key benefits. First, while human threat hunters may need to try out their techniques on smallish datasets in order to prove that they work, automated versions of those hunts are free to work with much larger piles of data, covering the entire IT environment. Second, once a hunt is automated, the hunt team will rarely have to repeat it, and can thus focus their time on further innovation rather than running the same analysis over and over.
Driving Skills Sharing and Mentorship
So far, the benefits we’ve talked about accrue even if your hunts are done by individuals. However, working as a team cooperating on the same hunt has important benefits that are often overlooked. A well-constructed hunt team will have multiple individuals, each with their own particular set of skills and areas of expertise. Having a wide variety of expertise vastly expands the types of hunts the team will be capable of taking on, but the act of cooperating to carry them out has many practical benefits when it comes to professional development. Learning new skills by collaborating with teammates is a great way to spread the expertise of an individual around to the rest of the team. It also goes a long way towards keeping your team members motivated, sharp and at the top of their game.
Some organizations are beginning to recognize this, and to structure their hunt teams specifically to take maximum advantage of this impromptu mentorship. Rather than establishing “the hunt team” with dedicated members who just do nothing but hunt all the time, some companies pursue an approach that supplements a small core of dedicated hunters with a rotating roster of analysts from other parts of the security team. This approach works especially well, because it not only allows the team to bring in subject matter experts that relate the current hunt’s topics, but it carries some of the hunting expertise back out into the security team where it can more easily work its way into the fabric of everyday operations.
I hope that by now I have convinced you that threat hunting is about much more than simply finding security incidents. In fact, identifying unknown adversary activity is actually the least important reason to establish a hunt team. The individual security incidents your team opens in the course of their work may be important, but they are ultimately short term wins. However, the habit of automated detection improvements and the flow of skills between hunters and between parts of the overall security team both have the potential to affect lasting wins across your entire security program.