Outsmarting attackers: the role of threat hunting in MDR

Written By:
Content Copyright © 2020 Bloor. All Rights Reserved.
Also posted on: Bloor blogs

The ability to infiltrate networks and remain undetected is a key capability for attackers so that they can lie in wait and potentially gain access to more valuable information over time. Even the most advanced, innovative security controls can be bypassed by determined hackers. Threat hunting came into existence some ten years ago, driven by the need to improve detection capabilities by identifying gaps that existing controls cannot and plugging them before they can be exploited. It goes beyond threat detection alone to proactively try to identify threats at the earliest possible stage of an attack or compromise.

It is now included as a service being offered by many MDR providers. It requires a mix of human expertise and automation, combining the use of machine learning and behavioural analysis that are often included in endpoint detection and response (EDR) and user and entity behaviour analytics (UEBA), with telemetry from a range of other sources to find indicators of compromise and to understand the tactics, techniques and procedures used by attackers. This is generally done in combination with the use of threat intelligence gleaned from internal network and external sources, which is invaluable in helping security teams to hypothesise where attackers may be found.

But automation alone is not enough. According to F-Secure, whilst some security challenges can be solved by data analytics alone, threat hunting is not one of them. Rather, threat hunters must be trained to think offensively, creating hypotheses on the basis of security alerts, risk assessments, penetration tests and external intelligence. They will then test those hypotheses through investigation and offensive activities, including simulating attacks according to type to determine how a potential attack might happen. Artificial intelligence, especially in the form of machine learning, is not capable of thinking creatively at the expert level required to defeat attacks. Humans will take the analysis presented through automation techniques to uncover relationships in data sets, routing out nefarious data that might otherwise go undetected.

By using threat hunting automation and services, organisations have a much better chance of detecting threats early, enabling them to limit the resulting damage. According to the SANS Institute, 61% of organisations report a measurable improvement in their overall security posture of at least 11% through threat hunting, with 12% reporting an improvement of more than 50%. The areas of greatest improvement were more robust threat detection capabilities, a reduced attack exposure and fewer false positives from alerts. Some of the areas where the greatest improvements are being seen are shown in Figure 1.

mdr graphic

According to IBM Security, threat hunting will not only enable a real time response to threats that hunters can discover from combining analysis of data streams with threat intelligence, but the machine learning aspect will ensure that newly discovered threat indicators are automatically added to attack watch lists to aid in future protection, detection and response efforts as many attacks use similar patterns that have previously been observed. It states that seamless integration with third-party applications, a variety of data sources from security controls and external data sources will help to distribute threat intelligence throughout the organisation, helping to improve its overall security capabilities.

Threat hunting is not a one-off exercise performed at a particular point in time, but should rather be used as a regular part of the arsenal available to security teams as attackers are constantly evolving their attack techniques to find those that are the most effective. MDR providers are ideally placed to aid in this, acting as an extension of in-house security teams through the provision of focused expertise.

Take a look at some of Fran’s previous MDR blogs in this series below: