When Hunting is the Right Choice for Your Security Team – and when it’s not

Blog Post created by ckirsch on Nov 19, 2015

hunting-incident-response-cyber-security.jpgThe concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team’s ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources.

Hunting is searching for malice on your network

The security lifecycle can be described in a number of ways, I think a good way of describing the cybersecurity framework might be “PREVENT-DETECT-CORRECT.”


Hunting powers all three stages, by digging through mountains of data to detect and identify irregularities, in an effort to inform more effective correction and prevention. If we were to define hunting:


“The act of using what you know about the network and what you know about attacker to identify anomalies indicating malice without any specific indicator or signature.”


We want to make bad actors work harder to get in (informing prevention), get caught quickly (better instrument detection), and make it expensive for them to find their way back into the organization (correct or instrument the soft spots in the business where attackers now risk getting caught and held accountable.)


Detecting known IOCs (indicators of compromise) isn’t really hunting

Many vendors claim they offer a hunting solution where what they’re actually doing is basic signature detection. Here’s an example: a vendor adds a newly published indicator of compromise, such as a file hash, from some random threat intelligence feed to a tool that searches for this indicator across the network.


The act of identifying when a new IOC hits is not hunting, it is an alert. As alert validation takes place those indicators are tuned, and the signal-to-noise ratio tells the analyst whether the indicator is finding malice, or if they are wasting their time on a bad IOC.


Hunting allows an analyst to identify evidence of malicious activity without existing threat intelligence signatures. By gathering large amounts of specific metadata throughout a network, analysts can perform techniques such as frequency analysis to determine the rarity of an artifact. These techniques may equip teams that are ready and able. For those that are not yet ready to hunt, we recommend partnering with experts to make this form of intelligence useful.


Stated simply, lots of alerts do not mean lots of value… it often means lots of time (and money) wasted.


Hunting is only part of threat prevention and detection

While this blog post is not a getting started guide, there is a bit of, “getting ready to do,” before you start hunting.


We will assume you have all the minimum data sets ready for hunting to begin from the network (firewall, proxy, VPN and other sources … WITH XFF-headers enabled), server (Windows, Linux/UNIX, big iron, etc – Auth, event, security, configuration, etc), service (DNS, HTTP, SMTP, etc), and security (network and application scanning, malware, file integrity, endpoint configuration, IDS/IDP, honey traps, tarpits, etc) logs flowing somewhere easily queried.


We will assume your program has all of the patching, hardening, scanning, vulnerability discovery, network segmentation, access control audits including employee add/remove/changes, strong authentication and other standard control sets.


Before pursuing commodity intelligence offerings, there are some strategic conversations to be had:

  • What are your key business challenges and concerns?
  • Where are the soft targets in your organization?
  • How success will be defined in your hunting program?
  • Do you have buy-in from business partners (IT server/endpoint/browser/line of business application/email/chat) teams confirming investigations and corrective guidance will be implemented?


For those doing this already, sorry for reinforcing the obvious. If these questions give you pause, we should probably talk.


Hiring experienced threat analysts for hunting is harder than you think

It’s extremely hard to hire quality threat analysts that are good hunters, and they come at a hefty price tag. Threat detection is growing faster than the market can supply specialists because it typically takes years of training and experience for an analyst to develop the experience through threat detection and response activities required to sniff out unknown threats. Even if they can afford the expense, many companies won’t be able to offer analysts the environment and career path they are looking for. One way to get hunting expertise for your team without having to build a highly specialized team is to work with a security services provider who offers hunting as part of their threat analysis and incident response packages. Rapid7's Analytic Response Services are a great example of this type of service. You'll also get a cost advantage because the technology and staffing required to stand up a 24/7 SOC will be spread over many clients.


Hunting primarily makes sense for high value target organizations and security vendors


Because having an in-house hunting team is costly, it makes sense in specific situations:

  • High value target organizations seeing attacks that nobody has ever seen before.
  • Mature security organizations who want to augment for immature detection methods
  • Security monitoring vendors who are researching and adding unknown attacks to their detection methods


At Rapid7, our team of highly skilled incident responders hunts both on our own internal network and those of the customers that hire us. This helps us augment gaps in existing monitoring tools and build new detection methods for Rapid7 UserInsight, our user behavior analytics solution.


Invest in security initiatives that fits your capabilities and resources

When you build out your security program, look for technology that is a good fit for your team’s resource constraints and skill level. I see a lot of technologies in the market that require highly mature security teams that only exist in the largest enterprises and government agencies. Employing these in your organization will fail if your tools don’t match your maturity, resources, and skills. Our Program Assessment and Development Services can help assess where you are, build a road map of the steps that fit your threat profile and resources, and help you sell the plan to the executives and the board.


With Rapid7 UserInsight, we’ve focused on building a tool for companies that don’t have large scale teams for incident response but need great detection and investigation to detect and investigate stealthy attacks such as phishing, credential theft, and lateral movement. And once your team’s maturity grows, you can also use hunting techniques with UserInsight’s investigations feature. If you’re interested in learning more, check out the videos on the UserInsight page. Also related: what is user behavior analytics?