Organizations and managed service providers are coming to the realization that effective cybersecurity requires a more proactive approach, one that aims to head off cyberattacks before they pose a threat rather than just reacting after they occur. Today, the ability to protect your customers and deliver effective IT security solutions is increasingly dependent on both threat detection and threat hunting. That means going beyond stopping known threats to studying the tactics of cybercriminals to identify threats that might not have a precedent or sneak past existing detection.
For MSPs, the importance of incorporating threat hunting capabilities into your offerings is reflected in data from the SANS 2020 Threat Hunting Survey, which found that 65% of organizations are already doing some form of threat hunting and another 29% are planning to implement it in the next 12 months. Clearly, this is a capability companies believe they need and want from MSPs (or MSSPs).
But threat hunting and threat detection are often confused. To add some clarity, let’s review some key differences:
- Threat hunting is done proactively. Threat hunters don’t wait for a prevention alert or look for a known pattern. They search for clues to identify potential attacks before breaches occur or at least before the attacker does damage with the attack. Threat detection will stop the known malicious binaries from running at all, but threat hunting is there to try and find the previously unidentified threats that might have gotten past other defenses.
- Threat hunting is based on using the intel we have about threat actors, such as their tactics, techniques, and procedures (TTPs), to formulate new hypotheses and suspicions that we can look for to proactively find ongoing attacks. Using intuition, deduction, and reasoning, the “hunt” is to follow clues and ideas to catch a missed attack, not to verify the known threats our detection systems have already identified. It’s a creative process with an adjustable methodology focused on hunting the attacker.
- Threat hunters are deeply experienced, highly trained, and specialize in analyzing attack patterns in data collected from network devices, cloud logs, identity servers, security appliances, and endpoints. They try to think the way a hacker thinks and put their experience to work to identify attacks based on anomalous patterns that match TTPs found in all that monitored data. They don’t just rely on the detection of known exploits, rules, or binaries. If you want a chance at finding new threats that may have evaded your security controls before the attacker completes their malicious task, threat hunters are irreplaceable.
- Unlike threat hunting, threat detection is usually automated (since it’s mostly oriented toward known threats). For example, next-generation firewalls or unified threat management (UTM) appliances can compare incoming network traffic against lists of known malware and strip dangerous files before they can do harm. There are some new detection technologies that can more proactively prevent new threats using machine learning or behavioral analysis, but nonpreventative control is imperfect, which is why smart organizations still desire threat hunters to catch the things their more automated defenses might miss.