Threat hunting: how organisations can go looking for new attacks

Detection and response solutions work well to a point, but many in cyber security believe organisations need to be more proactive. We speak to Talos security lead Martin Lee about the rising practice of threat hunting and whether it's something organisations should be pursuing.

In the past, IT security practices have really revolved around detection and response. Security teams monitor enterprise networks and investigate automated alerts that are generated from a range of tooling such as Security Information and Event Management (SIEM) systems, using their expertise to identify, escalate, and employ mitigation strategies where needed. Of course, the enterprise security market is vast, with thousands of vendors all providing differing tools and services, although at their core, many of these depend on core principles of using a working knowledge of the security threat landscape to respond to issues as they occur.

Increasingly, though, attacks are becoming more complicated and threat actors are becoming more evasive. There is no doubt that a well-reasoned approach to tooling and a mature security profile and culture still prove the most important mitigators of most attacks, however, some actors can still squeeze through the perimeter and cause real damage. In a recent Nominet survey of 300 CISOs, only 34% noted that they were "somewhat or slightly confident" in their organisation's choice of security solutions, while only 17% indicated that the "array of technology making up their stack" was completely effective.

That has led many to start investigating a more proactive approach, and one of the latest trends in proactive cyber security approaches is threat hunting. Threat hunting essentially describes the process of actively scouring enterprise networks and data looking for evidence of abnormal or illicit behaviour left behind by attackers. As Gartner describes, organisations that employ threat hunting use an analyst-centric approach to uncover hidden threats that slip by automated prevention and detection controls. It is a very human-centric approach, requiring a team of highly skilled IT security professionals (threat hunters), who have an in-depth knowledge of systems, security, data analysis and possess a distinct sense of creativity in their work.

Threat hunting is generally about trying to uncover threats before they cause damage or raise alerts. Thus, it is an investigative effort, with researchers following their nose based on their previous experience and expertise. Discoveries made by threat hunters can lead to serious damage mitigation, with their newly created techniques often being turned into automated, rule-based algorithms designed to weed out further instances of the threats they uncover. However, threat hunting can be quite difficult for organisations to employ and it certainly isn't for everyone.

To find out more about this increasingly popular practice, we spoke to Martin Lee, security lead at Talos, who has been involved with the security industry for 16 years. Lee leads a team of threat hunters tasked with identifying the most significant, novel threats that have potential to cause organisations real damage. Talos holds a relatively interesting position within the threat hunting sphere, as the organisation does not directly operate under a commercial model. Rather, Talos supports the Cisco security portfolio with a threat hunting capability that allows the networking giant to stay abreast of the varying methods that threat actors are coming up with.

In partnering with Cisco, Talos can mine and search the vast amount of telemetry that the networking giant has available to identify what is different or significant, allowing them to actively discover new threats. We spoke to Lee about how his team actually goes on the hunt for new threats and what factors to consider when assessing whether an organisation should be considering adding a threat hunting capability as part of their security postures. He says that threat hunting, for the more experienced cyber researchers, is really about identifying ‘where the sport is', with his team working to uncover only the most highly sophisticated attacks that modern day tooling can't take down on its own.

How does modern day threat hunting actually work and what does the process involve?

To continue reading this article register now