![]() Harnesses human intuition and creativity.Threat hunting can help organizations identify and mitigate weaknesses in their detection rules, platforms, and data collection. So we can sum up the benefits and drawbacks of hunting. Hunting is an effective way of helping your defenses keep up. More importantly, attackers are innovating at an alarming rate, resulting in a constant stream of new and updated attacks. Plus, the stealthy techniques attackers use can often escape detection. Intrusion prevention doesn’t work 100% of the time. Meanwhile, threat actors are constantly improving their methods.įor most organizations, threat hunting is highly recommended. If you ignore it, your automated security detections won’t improve - they’ll get stuck at a moment in time. Of course, you certainly do not have to hunt for threats. The creation of new security incidents during the hunting process is actually a secondary benefit, more as a by-product of the hunt, not its intended purpose. That way, the next time malicious activity will be alerted and responded to quickly. When a hunter figures out a new way to detect malicious behavior, the goal is to also figure out how to automate that detection. Instead, think about threat hunting as a way to improve your automated detections over time. And that’s where threat hunting comes in.ĭon’t think of hunting as a way to find more security incidents using expensive humans. We require good automated detection if we want to keep up. With the volume and velocity of security data coming into most organizations, human review isn’t just expensive, it’s entirely out of the question. Given our definition, defining the actual purpose of threat hunting seems easy, right? You might be thinking: “The purpose of threat hunting is to find more security incidents!”Īlthough this is exactly how some organizations approach it, I’m here to tell you: that’s not the best way to think about threat hunting.īecause threat hunting requires human involvement, it’s relatively high-cost. The Hunting Maturity Model shows the various stages an organization’s hunting capability might occupy, and serves as a roadmap for threat hunting improvement over time. This definition covers a lot of ground, encompassing such basics as searching for known-bad indicators, all the way up through creating innovative, cutting-edge data analysis techniques. Our curiosity, imagination and ability to deduce patterns of malicious activity even when we have never encountered them before are simply beyond the capabilities of today’s technology. The key here is that even though we often use computers, automation, and machine learning techniques to help us identify and filter events of interest, hunting is always driven by a human. Probably the first question people ask about threat hunting is, “what exactly is it?” Sometimes it seems like if you ask 10 different people to define threat hunting, you’ll get 15 different answers! For our purposes, the most popular definition is probably the best: threat hunting is the name for any manual or machine-assisted process for finding security incidents that your automated detection systems missed. (Check out our Guide to Threat Hunting with Splunk.) ![]() In this article, we will delve into the intricacies of threat hunting, including its purpose, benefits, drawbacks and the various frameworks available to help guide your efforts. The ultimate goal of threat hunting is not only to find more security incidents - but to improve automated detection capabilities over time. Yes, the definition of threat hunting can vary, and it generally involves a combination of manual and machine-assisted processes driven by human curiosity and pattern recognition. Threat hunting has become an increasingly important aspect of cybersecurity, as organizations strive to identify and mitigate security incidents that automated systems may have missed.
0 Comments
Leave a Reply. |