PERSPECTIVE: New Age of Cyber Threat Hunting Elevates Human Expertise

A 2017 report by research firm Markets and Markets predicts the global market for cybersecurity will reach nearly $232 billion by 2022. Most of the products accounting for this projection are already being widely adopted. They range from firewalls and antivirus software to unified threat management systems and disaster recovery solutions. With nearly a quarter-trillion dollars flowing into the industry, one has to wonder why every year, without fail, there continue to be major breaches. Troubling, is that size (and presumable security budget) seems to have no bearing on the ability for organizations to protect themselves from hackers, cybercriminals, and other cyber adversaries. All signs point to some core problems with current approaches to cybersecurity. It is time to declare a new age in cybersecurity: the age of threat hunting.

Threat hunting can be defined as the proactive defense of proprietary networks by a human operator trained to identify, track, and eliminate threats. For many, this is a familiar concept – even more so for those who have served in the defense and intelligence communities over the past decade. In 2009, the United States Air Force deployed its Cyberspace Vulnerability Assessment/Hunter (CVA/H) system. According to the Air Force Fact Sheet (last updated July 2018), the CVA/H “executes vulnerability, compliance, defense and non-technical assessments, best practice reviews, penetration testing and Hunter missions on Air Force and Department of Defense networks and systems.” The fact sheet goes on to specify “Hunter operations characterize and then eliminate threats for the purpose of mission assurance.” The critical philosophical point inherent to threat hunting is that at either end of a cyberattack is a human being. Only a human defender can think like – and hope to out-think – a human adversary.

Within the past five years, threat hunting has reached commercial markets. Competition remains limited, but the field is poised for growth. Technology research firm Gartner has even included threat hunting in its 2018 market guide for managed detection and response services as a key vendor feature. The proliferation of threat hunting as a practical and technological application will have far-reaching and positive implications for the overall pursuit of constantly improving national security. But to move forward, it bears noting where organizations stand today and why existing approaches fall short.

For decades, organizations have generally followed two major paths to ensuring cybersecurity: The first is the purchase of various security hardware and software. The second is complying with predefined standards. Each of these are crucial pieces of the cybersecurity puzzle, but each one has significant disadvantages, or at least leaves gaps that threat hunting can fill.

First, a brief overview of problems associated with layering technologies for security. Such technologies can include firewalls, antivirus and antimalware software, security information and event management (SIEM) systems, intrusion detection systems, intrusion prevention systems, endpoint monitoring – the list goes on and on. The problem tends to be in the predictability of these systems and the hidden complexity that tends to arise as technology stacks on top of technology.

Following from the previous example, antivirus software is vital to any organization. For many, it is a first step in the right direction. However, antivirus programs largely operate based on a dictionary of known attacks and identified malicious code. That means custom code will not be stopped by these programs. More insidious, sophisticated attackers will go further to identify all manner of defensive technologies and, knowing how they function, change tactics to circumvent even those systems that are not based on dictionaries and playbooks. With technology comes a tendency to think security can be automated.

Compliance is an understandable means of pursuing security assurance. After all, in many cases, protecting information systems and the data therein is a matter of legality. But beyond legal requirements, there are a litany of industry best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Popular frameworks can help guide security managers in auditing and evaluating current security posture and provide guidance for reducing vulnerabilities. A chief information security officer (CISO) can be lulled into thinking he or she has effectively protected an organization simply by checking a series of boxes or being compliant with regulations.

But just as adhering to regulations and frameworks can make easy work for the CISO, so too can it make life easier for hackers, cybercriminals, and nation-state adversaries. For them, regulations can serve as a playbook for what an organization is likely to do, how they will approach cybersecurity and, most importantly, what they are likely to overlook. Just as government officials use intelligence to understand adversary tactics, techniques, and procedures, so too will adversaries use intelligence like published auditing procedures to understand target systems and plan attacks.

There are some disconcerting similarities between the technology layering approach and the compliance-based approach to cybersecurity. Namely, both can create what are deemed “static” security environments. In other words, organizations become predictable. They use such-and-such firewall running such-and-such software and implement the NIST Framework. These known variables make attacks much easier to execute.

It should probably be a requirement that anyone discussing security measures include a ‘not a silver bullet’ disclaimer. Threat hunting is not without its own challenges. For one, the skill set required of a hunter crosses many fields. Effective threat hunting requires a combination of computer science, coding know-how, intelligence analysis, and creative problem solving. Of those four qualities, the last one is the toughest to identify. However, the commercialization of the industry is producing more and better training, more and better solutions and services, and more personnel who are experienced and ready to hunt.

In closing, it is important to once again emphasize that the call for focus on threat hunting is not meant to be to the detriment of other cybersecurity measures such as acquiring security technologies, automating services, and adherence to best practices. Instead, security managers can look to threat hunting as a new tool to implement in their overall cybersecurity strategy. The dawn of a new age in cybersecurity does not mean throwing out the collective knowledge and effort of 30-plus years of working to prevent attacks. It means supplementing that knowledge with advanced technologies such as AI, welcoming a new set of practices, taking a proactive approach, and remembering that, ultimately, cybersecurity is a very human endeavor.