This article is my response to two excellent blog posts by the Crowdstrike Overwatch team making the case against part-time threat hunting. In this article, I make a case for part-time threat hunting in certain circumstances and discuss one of many strategies to compensate for the disadvantages of only a part-time program. I may disagree with some of the article’s conclusions, which is why I play devil’s advocate; however, both articles are worth sharing and reading today.
These blog posts contain valuable insight from an organization with proven capability to threat hunt effectively. The Falcon Overwatch team speaks from a great deal of experience. While I may not agree with the conclusion, nor even the claims made in the titles of the blog posts, I believe they both are excellent reads that highlight the importance of a proactive search for threats that may have bypassed your detection and prevention as well as provide some success samples of how that creative and curious process can look.
I currently remain unconvinced that part-time threat hunting is ineffective. I have witnessed part-time threat hunting detect offensive activity in a way that provided unique detection value when contrasted to what traditional SOC (Security Operations Center) triage offered for that group. As with most things in Cybersecurity, there are many “it depends” here.
The Prioritization of Limited Resources
I appreciate the author’s point on the significance of the velocity of modern attacks post-initial compromise. I also understand the unique value of a 24/7/365 hunting program. I can also get behind the general idea that “good-enough” security can be a dangerous downfall. But at the end of the day, organizations are limited in resources — some more than others.
Many organizations that do not have the resources to invest in analysts to perform full-time threat hunting are often the organizations that may also benefit from spending analyst hours elsewhere. For some organizations, increasing the volume of triaged events that a SOC handles may yield a more significant increase in a security program’s True Detection Rate than throwing an individual at the task of threat hunting for a few hours a week. But even then, there will be exceptions.
A Case Made for External Threat Hunting Services
I deeply appreciate and recognize the value of Crowdstrikes Overwatch threat hunting services. Depending on the vendor, a 24/7/365 threat hunting service can be an excellent investment for many organizations. It can uniquely complement the existing skillsets, knowledge, capabilities, and efforts of an organization's security team. The benefit of having a capable team hunting on your environment driven by the intelligence of a security search company powered by the telemetry of millions of devices, many of which are frequently attacked more often than your own is hard to replace with an analyst running queries in your SIEM to look for unidentified threats for a few hours a week.
However, when threat hunting is driven by threat intelligence and supported by enabling analytic tooling, periodic internal threat hunting can still be a very worthwhile endeavor.
Strategies to Compensate for the Disadvantages of Not Being a World-Class Security Threat Intelligence and MSSP
Perhaps an approach that compensates for the more limited effectiveness, and generally speaking maturity, of a part-time threat hunting operation would be one in which hypotheses are formed and pursued based on actionable intelligence relating to the threats you believe may likely have both targeted your organization and bypassed your existing security controls.
Crowdstrike Overwatch is correct. Part-time threat hunters likely do not enjoy the amount of time necessary for the creative and curiosity-driven shotgun approach of pontificating possible compromise scenarios, playing them out to discover the generated telemetry to key in on to render a compromise verdict for the current hunt hypothesis. Instead, a more precision-oriented tool is required. Efforts must be invested upfront to scope the type of hunts that will likely be applicable and add value.
To do this requires both an ear to the ground in infosec news / threat intelligence and knowledge of your own organization, including what you are protecting and what you are using to protect it.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu
Know Yourself: Focus on your weak points. Strive to make no duplicate effort in the detection coverage of your SOC. It does us no good to uncover a partially successful attack that the SOC has already triaged and remediated. Do consider if there are aspects of the attack that were not automatically presented to your SOC. Perhaps you will identify new threat hunting or SOC alerting opportunities.
Know Your Enemy: This is where solid, actionable, fresh threat intelligence regarding adversary tools, techniques, and generated telemetry comes into play. Adversaries frequently attempt to use temporary or compromise infrastructure, generate new binaries for new targets, and can even leverage the same automation we use to reduce the life span and usefulness of intelligence gathered from one attack in the defense against future attacks.
Intel may age quickly these days. But actionable information about initial compromise methods, utilized remote code execution or local privilege escalation vulnerabilities, and details about persistence accomplishment methods are all examples of hard-to-change adversary behaviors that we can learn about, identify detection techniques, design detection methods for, and then look for.
Consider Threat Intelligence-Driven Threat Hunts (What a Mouthful)
For those looking for examples of high-profile and actionable intelligence authored to support a robust and “adversary-ephemerality” resistant approach to detection, I will provide some examples I have created in the past designed to help both the veteran and those new to the threat hunting practice and discipline.
The QakBot Hunting Series, Log4Shell Hunting, and the Sunburst Hunting resources all contain additional explanations, information, pictures, and examples to aid those new to the exercise of threat hunting.
I intend to continue contributing, along with the efforts of many others, to share additional fresh, actionable, and detailed threat hunt guides on future threats as they emerge.
It Takes a Village
Keeping an ear to the ground can be tricky. It can be dangerously easy to slip into the habit of endlessly perusing Reddit and Bleeping Computers for actionable news about Infosec events. Efforts that may infrequently produce unique value-adding threat hunts.
Note: This is not to say that valuable Threat Intelligence isn’t frequently shared on Reddit and Bleeping Computer and is only a comment on the ratio of actionable Hunt-generating information to Hunt-generating information. I simply comment on the importance of selecting “low noise” resources for fueling threat hunts concerning data sources. I have found actionable information in myriad unexpected places such as Twitter, Reddit, personal blogs, etc. However, a network of partners unified by a mission of sharing actionable intelligence will produce more valuable Hunt-generating Threat Intelligence notices and require less effort to consume than general infosec/tech resources.
Perhaps a key ingredient to effective part-time threat hunting is a data-driven method of developing likely applicable hypotheses. There are multiple methods for doing this. Some that I hope to write about in the future. However, today I offer threat intelligence-driven hypothesis for consideration.
Not just any threat intelligence source, indeed not a simple threat data Feed, can produce the high efficacy hunts a part-time Threat Hunter ought to pursue. Multiple ISACs (Information Sharing and Analysis Centers), which are sector-specific, and ISAOs (Information Sharing and Analysis Organizations), which share effective practices, exist and promote such sharing efforts. Private vendors make notable contributions as well. Cybersecurity and Infrastructure Security Agency, FBI, and other government organizations will share information that is both severe enough, fresh enough, and detailed enough to generate and support a practice hunt on gathered telemetry to uncover previously unidentified intrusion attempts.
I have personally benefited from and contributed to the collaborative information-sharing efforts led by the Arizona Cyber Threat Response Alliance, a private/public organization of members unified by the purpose of sharing information about the successfully evasive, novel, or noteworthy attacks they receive in the hope that it could improve the chances of disrupting or preventing an otherwise successful attack against another member.
A Final Thought for Threat Intelligence Content Creators
Adequate and actionable threat intelligence is challenging to acquire, evaluate, and consume to turn into mature threat hunts that can translate into real detection opportunities. This is in significant part due to the common adversary effort to keep any of their breadcrumb-born threat intelligence about the adversary, their tools, or techniques with an ephemeral nature and short expiration date. Arguably, it doesn’t help that we in threat intelligence often focus on sharing the most ephemeral and temporarily useful information in the practice of threat intelligence.
It isn’t hard to see why. It is much easier to share a list of our common traditional IoCs that a recipient can block or detect with a quick .CSV upload. Much more difficult would be providing unique, non-traditional IoC-dependent, much more resilient complex process or network searches, new Yara and Snort/Suricata rules, or some other complex criteria that require time and advanced capability on the recipient end.
A Final Thought for Organizations Considering Threat Hunting
I highly encourage organizations considering growing their capabilities in 2023 to include some semblance of threat hunting operations to pursue that goal, even if allocating a full-time analyst isn’t right for you. Perhaps your own part-time threat hunting efforts may not have the degree of experimentalness to discover and attribute new targeted intrusion adversaries, the likes of which Crowdstrike notes in their blog before the Cyber Security organizations with significant R&D and Analyst hours do; however, if you invest in surgical and precise threat hunts with hypothesis developed from emerging and actionable threat intelligence regarding evasive and novel adversaries, tools, or tactics, then the practice of threat hunting may be the last detection opportunity you have proceeding an adversaries “Action on Objective.”
But that is just this guy’s opinion. As always, my opinions are my own. Interested to see how our industry's view of Threat Hunting and how we enable people to do it evolves. Happy New Year, everyone! Cheers — with coffee.