The threat hunting process is missing the human element

The rise of the threat hunter role is butting up against the skills shortage. As more companies start to adopt security automation, the threat hunting process steps outside of the box by requiring a highly trained human element.

While tier-1 and tier-2 analysts rely on alerts from systems and some combination of manual and automated workflow to escalate and respond to security events, the threat hunting process hinges on an expert's ability to create hypotheses and to hunt for patterns and indicators of compromise in data-driven networks. Usually, that means tier-3 security analysts with the experience and creativity to proactively discover tactics, techniques and procedures employed by advanced threats.

Threat analyst activities require awareness of attackers' TTPs, understanding of threat intelligence and data analysis, knowledge of forensics and network security, and plenty of time to carry out these tasks. With tier-3 analysts in short supply, who is going to fill these roles?

The skills dilemma may depend on how organizations structure their security operations centers.

"We call it threat hunting now," quipped Kristy Westphal, vice president of the computer security incident response team at Union Bank, during a well-attended talk on threat hunting at the 2018 (ISC)² Security Congress in October. "It's been around for a long time; it is called reading logs."

The goal of many hunting programs is to find security holes that machine learning or automated systems failed to detect and improve the advanced threat capabilities of those systems.

CISOs need to figure out what they want to accomplish with their threat hunting program, whether it's validating controls, finding things that controls miss, keeping analysts happy or tuning their automated systems.

"You can't do them all," Westphal said. "Once you start hunting, it is a big time-suck."

Threat hunting tools and services can sometimes help organizations accelerate their threat hunting process. This is especially true for some widely used frameworks. However, successful threat hunting programs require people who understand your network, "not threat hunting tools per se," Westphal said.

The threat hunting process should be a regular part of operations, not just a "side gig," even if security operations center (SOC) analysts spend only 20% of their time on these activities per week. One benefit, according to Westphal and other experts: SOC analysts who used to stare at a single pane of glass all day may become more engaged in their current jobs and less likely to leave the security team for work at another organization.