Virtualization Technology News and Information
Defining Active Threat Hunting and Threat Intelligence

By Ryan Berg, Fellow Data Science Engineer, Alert Logic

With cybercrime on the rise and inflicting record damages on companies, we tend to focus on the obvious reasons. Threats are growing in number and frequency. Attacks are more sophisticated, unfolding in multiple, incremental steps, often over months. Security teams are understaffed and overwhelmed.

But the truth is that the growing complexity of environments is outpacing all these factors. Organizational control of the network has been lost. There is no perimeter anymore.

Threat intelligence and threat hunting are essential to defending this borderless environment. Organizations need to know what and where all of its assets are, who needs to access them, and how these factors are leaving security vulnerable. Today's businesses have to understand what threats are evolving in a broader context, and be able to apply that knowledge to their unique environment. 

Unfortunately, there is a lot of confusion around threat intelligence and threat hunting. While the two often get conflated, they are two distinct and complementary techniques that together play a critical role in MDR outcomes.

What is Threat Intelligence?

Threat intelligence refers to the use of continuous research to gather raw data on emerging or existing threats and threat actors. As data is compiled, machine learning is often applied to help "color" the data and isolate hidden patterns of activity. These patterns can then be further contextualized by a threat analyst to ensure constant visibility into attack techniques, attack trends, and vulnerabilities that are applicable to a specific organizational environment. The ultimate intent of threat intelligence is to provide relevant information organizations can use to proactively defend their environment.

A distinction of threat intelligence is that the focus is on the techniques of the attacker, not the security of the victim. In an active attack, threat intelligence allows the organization to understand the progress and impact of the attack and helps them tailor the most appropriate and effective response. After an attack, threat intelligence enables a deeper understanding of what happened and helps the organization determine what additional security protections or remediations it should deploy to provide greater upfront protection.

What is Threat Hunting?

Threat hunting refers to a more targeted practice of looking for threats and bad actors in a specific organization's environment. It takes the macro picture threat intelligence provides and applies it to the micro of the particular business, looking for correlatable events that indicate both active and passive threats unique to an organization's environment.

Threat hunters are highly skilled analysts who start from the assumption that an organization's environment is already compromised. The threat hunters' process begins with creating a hypothesis and looking for evidence of malicious activity in logs, network traffic, and systems to verify it and find the threat before it sets off detection. 

Threat hunting takes threat intelligence and switches the focus from the attacker to the potential victim. It asks what is happening to a specific organization and is based on a contextual understanding of the relationship between the organization's environment and the threat landscape.

Threat Intelligence and Threat Hunting in MDR

Both threat intelligence and threat hunting play important roles in MDR outcomes. 

Threat intelligence helps identify new attack methods and exploitable vulnerabilities in the wild and informs the detection and response analytics used in MDR, including behavioral anomaly detection, vulnerability scanning, and the prioritization of remediation. It's a critical element of tenet #3 of the MDR Manifesto-the need for managed detection and response to be continuously updated with research on new threats and vulnerabilities.

With its emphasis on human investigation in concert with automated detection methods, threat hunting fulfills the need to augment technology with human intelligence to ensure accuracy and the value outlined in MDR Manifesto tenet #4.

Together, these methods enable MDR analysts to spot new threats and reduce response times to vulnerabilities and attacks.

Essential Capabilities for Complex Environments

Given the breadth of the attack landscape, understanding which threats an organization is prone to, when it's actively being targeted or exploited, and how to respond quickly and effectively is vital. Threat intelligence and threat hunting provide the means for diving deep into dynamic environments and providing effectual customized responses to sophisticated, multiphase attacks. Expanding current security practices to include these capabilities within the context of an MDR solution is one of the best improvements organizations can make to detect new threats, block existing ones, and mount a more effective response to any attacks that get through these defenses.


Previous Articles in the Series:

1.         Defining MDR and MSS

2.         Defining Detection Left of Boom and Right of Boom

3.         Defining Visibility and Threat Management

Next Up: Defining Daily Tasks and Skills of a SOC Analyst


About the Author

Ryan Berg 

As Fellow Data Science Engineer for Alert Logic, Ryan Berg engages with customers, the industry, and internal product delivery teams to advance the state of the art in security analytics and machine learning. Ryan is a speaker, instructor, and author in the fields of security, risk management, and secure application development and holds 17 patents. Prior to joining Alert Logic, he served in the roles of Chief  Scientist at Barkly (acquired by Alert Logic in 2019), Chief Security Officer at Sonatype, Chief Scientist and cofounder of Ounce Labs (acquired by IBM in 2009), and Principal engineer and cofounder of Qiave (acquired by  WatchGuard Technologies in 2000).

Published Monday, August 03, 2020 7:33 AM by David Marshall
Defining Visibility and Threat Management : @VMblog - (Author's Link) - August 3, 2020 8:07 AM
Defining Daily Tasks and Skills of a SOC Analyst : @VMblog - (Author's Link) - September 10, 2020 8:34 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2020>