Information Security

Defending the digital infrastructure

pixel_dreams - Fotolia

Is threat hunting the next step for modern SOCs?

The emergence of threat hunting programs underscores the importance of the human factor in fighting the most dangerous and costly security threats.

Edgy, creative and confident.

These are the qualities of a good threat hunter, Deneen DeFiore, CISO of GE Aviation, has found as she develops the aircraft suppliers' threat hunting program in Evendale, Ohio. "We're looking for someone who has the confidence to take a risk and prove out their hypothesis about a threat."

GE Aviation started its threat hunting program informally four years ago, around the time of the now-infamous Target breach. Five to seven threat hunters now work full time at GE Aviation, and most of the major business units at General Electric have about the same number of threat hunters working to actively identify threats and automate searches.

Just what is a threat hunter? They are people who search for the traces attackers leave behind in an IT environment, usually before any alerts of their activities are generated by security devices. The best threat hunters use threat intelligence, custom tools or threat hunting products -- Endgame, Infocyte, Sqrrl Data -- to identify threats and then automate searches for indicators of compromise on an ongoing basis.

"I used to think that only the best security operations center people could be threat hunters, but that's not always true," said Anton Chuvakin, a Gartner research vice president. "The best SOC analyst may be good at responding to alerts, but they don't always have the creativity that's needed."

Inside the mind of effective threat hunters

Gartner's Anton Chuvakin offered his take on the seven characteristics central to the practice of threat hunting.

  • Proactive vs. reactive. Threat hunters do not wait for an alert or another signal from a security tool, according to Chuvakin. Their job is to go and look for an intruder before any alerts are generated.
  • Focus on clues and hypotheses. These analysts follow clues and personal hunches, not conclusive alerts from tools and rule-based detections. Hunting outputs can later become automated rules.
  • Analyst-centric. Hunting is human analyst-centric, not tool-centric, according to Chuvakin. Threat hunters may use different tools, but they play an auxiliary and support role in helping the defenders see the hidden threats.
  • Assumption of breach. While it has become somewhat of a cliché, hunting does rely on the assumption that there was a breach and that the attackers left traces in the organization's IT environment.
  • Interactive and iterative. Hunting requires a process of following an initial lead or clue, but likely with many twists and turns, all in pursuit of that intruder evidence.
  • Ad hoc and creative methodology. Most experts agree that hunters do not follow the rules. Hunters follow a creative process and loose methodology focused on outsmarting a skilled human attacker.
  • Relies on advanced threat knowledge and deep knowledge of the organization's IT environment. Threat hunters need to possess all the qualities of the best SOC analysts, according to Chuvakin. Hunters employ internal knowledge to help the organization learn more about its IT environment and all the places where attackers can hide. --S.Z.

The joke around security circles is that there may only be 12 people in the world who can actually do threat hunting, acknowledged Chuvakin, who is working on a "threat hunting guide for non-elites," or companies outside of the 1%. "I think what you'll find is that the most mature threat hunting programs are at the leading banks and financial institutions, major defense contractors and at the top technology companies."

Threat hunters have the technical programming chops of the best SOC people, according to Holger Schulze, founder of the Information Security Community on LinkedIn, which has over 350,000 members. And while they have the ability to reverse engineer a security event, they also possess an elusive sixth sense, a creative spark that can help the organization stay one step ahead of the next major hacking threat.

Why SOCs don't have a threat hunting platform

The 2017 "Threat Hunting Report" by Crowd Research Partners, based on responses from 330 members of the LinkedIn Information Security Community, found only 14% of SOC employees are involved in threat hunting. Two-thirds of SOCs did not have a threat hunting platform, according to survey respondents, who ranged from security analysts to CISOs.

Levels of threat hunting

David Bianco, an incident detection and response specialist at Target -- who formerly worked as a threat hunter at GE -- said he spends a great deal of his time explaining to security managers that threat hunting isn't only for the top 1% of organizations.

David Bianco, developer of the Hunting Maturity ModelDavid Bianco

"People think that threat hunting is only for large companies, but that's just not the case," he said. "Companies can take what they have and build up a capability over time."

An advisor to Sqrrl, Bianco developed the Hunting Maturity Model, which rates an organization's threat hunting capabilities from level 0 to level 4.

At level 0, the organization has no threat hunting program; it mainly performs incident response. Level 1 organizations conduct basic searches for key indicators in data sets. Typically, level 1 organizations run searches on an ad hoc basis; there's no formal program.

Organizations that take the next step into level 2 incorporate published hunting procedures and techniques -- usually from the internet -- into their detection activities. Threat hunting in this stage uses data collection and is applied regularly. Level 3 organizations are at the point where they create new hunting procedures that can be followed and published. Level 4 organizations incorporate these new threat hunting procedures, automate successful hunts and use the results to improve automated detection systems, freeing up the threat hunters to pursue new hunts.

"I'm not saying that every organization needs to be at level 4. In fact, there may not be a need for that kind of capability," Bianco said. "What I explain to people is to use the model to determine where they fit in and what makes sense for their organization. The vast majority of organizations would be fine with being at level 2."

Deneen DeFiore, CISO at GE AviationDeneen DeFiore

GE Aviation's DeFiore, who worked closely with Bianco, noted that her group operates somewhere between level 3 and level 4. GE Aviation has developed custom code that uses the analytics capabilities of GE Predix to run automated threat hunts.

"What I would say to organizations looking to get into threat hunting is that their threat intelligence has to be rock-solid," DeFiore said. "Our threat hunting team collaborates with many other analysts, including the aviation ISAC [Information Sharing and Analysis Center]."

The need for hunters

Skeptics may pass threat hunting off as the latest fad, but there's clearly a need for a return to relying more on human intuition.

Crowd Research Partners found that 44% of all security threats go undetected by automated security tools. On top of that, 82% of respondents said that their organization faced more security threats, with 45% indicating that the threats had tripled in the past year.

"Given the threat, we have to evolve; we can't be complacent," GE Aviation's DeFiore said. "And that means we have to invest in people."

"The reality is that if you look at the average corporation, many of them even fail to do security basics, such as encrypting databases," Schulze said. "But overall, companies are now recognizing the limitations of automation, that there needs to be a sophisticated cybersecurity expert on staff who looks at the bread crumbs that attackers leave behind."

Given the threat, we have to evolve; we can't be complacent. And that means we have to invest in people.
Deneen DeFioreCISO at GE Aviation

Above all, threat hunters make organizations more proactive. Instead of merely conducting incident response and detection, the best threat hunters know as much as the hackers, Chuvakin asserted. "These are people who can guess the hackers' next move."

If a single breach can cost up to $1 million, saving just one breach a year could pay for a $1 million investment in threat hunting. The costs would include personnel, tools and any required training and consulting.

As GE Aviation's DeFiore said, companies can't be complacent anymore. Organizations must become more proactive, and threat hunting can get them to change their culture. The real problem, of course, is where do you find hunters? Companies that can't find qualified hunters may find that investing in training may be the way to go. 

Article 3 of 5

Next Steps

Who should be cast in a threat hunting role?

How to build a security operations center

Where to find the best threat intelligence

This was last published in May 2017

Dig Deeper on Careers and certifications

Get More Information Security

Access to all of our back issues View All