By Ryan Berg, Fellow Data Science
Engineer, Alert Logic
With cybercrime on the rise and
inflicting record damages on companies, we tend to focus on the obvious
reasons. Threats are growing in number and frequency. Attacks are more
sophisticated, unfolding in multiple, incremental steps, often over months. Security
teams are understaffed and overwhelmed.
But the truth is that the growing
complexity of environments is outpacing all these factors. Organizational
control of the network has been lost. There is no perimeter anymore.
Threat intelligence and threat hunting
are essential to defending this borderless environment. Organizations need to
know what and where all of its assets are, who needs to access them, and how
these factors are leaving security vulnerable. Today's businesses have to
understand what threats are evolving in a broader context, and be able to apply
that knowledge to their unique environment.
Unfortunately, there is a lot of
confusion around threat intelligence and threat hunting. While the two often
get conflated, they are two distinct and complementary techniques that together
play a critical role in MDR outcomes.
What is Threat
Intelligence?
Threat intelligence refers to the
use of continuous research to gather raw data on emerging or existing threats
and threat actors. As data is compiled, machine learning is often applied to
help "color" the data and isolate hidden patterns of activity. These patterns
can then be further contextualized by a threat analyst to ensure constant
visibility into attack techniques, attack trends, and vulnerabilities that are
applicable to a specific organizational environment. The ultimate intent of
threat intelligence is to provide relevant information organizations can use to
proactively defend their environment.
A distinction of threat
intelligence is that the focus is on the techniques
of the attacker, not the security of the victim. In an active attack,
threat intelligence allows the organization to understand the progress and
impact of the attack and helps them tailor the most appropriate and effective
response. After an attack, threat intelligence enables a deeper understanding
of what happened and helps the organization determine what additional security
protections or remediations it should deploy to provide greater upfront
protection.
What is Threat Hunting?
Threat hunting refers to a more
targeted practice of looking for threats and bad actors in a specific organization's
environment. It takes the macro picture threat intelligence provides and
applies it to the micro of the particular business, looking for correlatable
events that indicate both active and passive threats unique to an
organization's environment.
Threat hunters are highly skilled
analysts who start from the assumption that an organization's environment is
already compromised. The threat hunters' process begins with creating a
hypothesis and looking for evidence of malicious activity in logs, network
traffic, and systems to verify it and find the threat before it sets off
detection.
Threat hunting takes threat
intelligence and switches the focus from the attacker to the potential victim.
It asks what is happening to a specific organization and is based on a
contextual understanding of the relationship between the organization's
environment and the threat landscape.
Threat Intelligence and
Threat Hunting in MDR
Both threat intelligence and threat
hunting play important roles in MDR outcomes.
Threat intelligence helps identify
new attack methods and exploitable vulnerabilities in the wild and informs the
detection and response analytics used in MDR, including behavioral anomaly
detection, vulnerability scanning, and the prioritization of remediation. It's
a critical element of tenet #3 of the MDR Manifesto-the need
for managed detection and response to be continuously updated with research on
new threats and vulnerabilities.
With its emphasis on human
investigation in concert with automated detection methods, threat hunting
fulfills the need to augment technology with human intelligence to ensure
accuracy and the value outlined in MDR Manifesto tenet #4.
Together, these methods enable
MDR analysts to spot new threats and reduce response times to vulnerabilities
and attacks.
Essential Capabilities for
Complex Environments
Given the breadth of the attack
landscape, understanding which threats an organization is prone to, when it's actively
being targeted or exploited, and how to respond quickly and effectively is
vital. Threat intelligence and threat hunting provide the means for diving deep
into dynamic environments and providing effectual customized responses to
sophisticated, multiphase attacks. Expanding current security practices to
include these capabilities within the context of an MDR solution is one of the
best improvements organizations can make to detect new threats, block existing
ones, and mount a more effective response to any attacks that get through these
defenses.
--
Previous
Articles in the Series:
1. Defining MDR and MSS
2. Defining Detection Left
of Boom and Right of Boom
3. Defining Visibility and
Threat Management
Next
Up: Defining Daily Tasks and Skills of a SOC Analyst
##
About
the Author
As Fellow Data Science Engineer for Alert Logic, Ryan Berg
engages with customers, the industry, and internal product delivery teams to
advance the state of the art in security analytics and machine learning. Ryan
is a speaker, instructor, and author in the fields of security, risk
management, and secure application development and holds 17 patents. Prior to
joining Alert Logic, he served in the roles of Chief Scientist at Barkly
(acquired by Alert Logic in 2019), Chief Security Officer at Sonatype, Chief
Scientist and cofounder of Ounce Labs (acquired by IBM in 2009), and Principal
engineer and cofounder of Qiave (acquired by WatchGuard Technologies in
2000).