Organizations and managed service providers are coming to the realization that effective cybersecurity requires a more proactive approach, one that aims to head off cyberattacks before they pose a threat rather than just reacting after they occur. Today, the ability to protect your customers and deliver effective IT security solutions is increasingly dependent on both threat detection and threat hunting. That means going beyond stopping known threats to studying the tactics of cybercriminals to identify threats that might not have a precedent or sneak past existing detection.
For MSPs, the importance of incorporating threat hunting capabilities into your offerings is reflected in data from the SANS 2020 Threat Hunting Survey, which found that 65% of organizations are already doing some form of threat hunting and another 29% are planning to implement it in the next 12 months. Clearly, this is a capability companies believe they need and want from MSPs (or MSSPs).
But threat hunting and threat detection are often confused. To add some clarity, let’s review some key differences:
- Threat hunting is done proactively. Threat hunters don’t wait for a prevention alert or look for a known pattern. They search for clues to identify potential attacks before breaches occur or at least before the attacker does damage with the attack. Threat detection will stop the known malicious binaries from running at all, but threat hunting is there to try and find the previously unidentified threats that might have gotten past other defenses.
- Threat hunting is based on using the intel we have about threat actors, such as their tactics, techniques, and procedures (TTPs), to formulate new hypotheses and suspicions that we can look for to proactively find ongoing attacks. Using intuition, deduction, and reasoning, the “”hunt”” is to follow clues and ideas to catch a missed attack, not to verify the known threats our detection systems have already identified. It’s a creative process with an adjustable methodology focused on hunting the attacker.
- Threat hunters are deeply experienced, highly trained, and specialize in analyzing attack patterns in data collected from network devices, cloud logs, identity servers, security appliances, and endpoints. They try to think the way a hacker thinks and put their experience to work to identify attacks based on anomalous patterns that match TTPs found in all that monitored data. They don’t just rely on the detection of known exploits, rules, or binaries. If you want a chance at finding new threats that may have evaded your security controls before the attacker completes their malicious task, threat hunters are irreplaceable.
- Unlike threat hunting, threat detection is usually automated (since it’s mostly oriented toward known threats). For example, next-generation firewalls or unified threat management (UTM) appliances can compare incoming network traffic against lists of known malware and strip dangerous files before they can do harm. There are some new detection technologies that can more proactively prevent new threats using machine learning or behavioral analysis, but nonpreventative control is imperfect, which is why smart organizations still desire threat hunters to catch the things their more automated defenses might miss.
How Threat Hunting Works
How might threat hunting work at a high level? Typically, it starts with some tool that aggregates some or all of the network, endpoint, and identity data mentioned above, such as a security information and event management (SIEM) solution or an endpoint detection and response (EDR) solution. Those tools aggregate many types of indicators a security professional might want to monitor when threat hunting. With a deep understanding of how hackers think and work, threat hunters create hypotheses (often called a playbook) in the tools that they can use to test against the real-world data coming from the network and endpoint security control devices they have reporting in.
For instance, if they see a particular known tactic at a network level, the playbook might look for a corresponding technique on an endpoint. If all those playbook factors become true, the tool informs the threat hunter, who can then use other direct tools to see if the playbook did indeed catch a budding attack. If that hypothesis or playbook turns out to be valid by repeatedly resulting in a discovered threat, it’s classified as a new detection technique. In many cases, this new technique might not always be able to predict an attack with 100% certainty but will at least provide a high enough degree of confidence that the human threat hunter should be alerted to come check.
These indicators of attack (IoA) are extremely useful for providing early warning to enable containment and, if necessary, remediation of breaches that have bypassed preventative controls, but may not have completely succeeded yet.
As the new normal of remote work has increased, the potential attack surface of many organizations (coupled with an epidemic of ransomware attacks) and the demand for more effective cybersecurity solutions has increased. For MSPs, threat hunting capabilities—especially ones available in EDR solutions—provide more visibility and control over the security of endpoints, laptops, servers, and workstations, enabling you to offer additional protection services to your customers.
If you already sell an EDR solution to your customers, it makes sense to consider pairing it with a managed detection and response (MDR) service, allowing your threat hunters to monitor it for customers. This not only provides a great additional (high-margin) service for customers but can also offer an affordable alternative to in-house threat hunting. Now more than ever, with an increasingly dangerous threat landscape, MSPs must be proactive in defending customer networks. Threat hunting can be an important part of that equation.
COREY NACHREINER is chief security officer at WatchGuard Technologies.
