The sport of threat hunting, and who should be in the game

Though the strategy of threat hunting has been around for over a decade, don’t feel compelled to jump head first into cyber security’s latest fad

“Hunting is not a sport. In a sport, both sides should know they're in the game.”

According to Field and Stream magazine, this is an oft quoted hunting expression. There is irony in applying this quote to the cyber security industry where hunting is indeed a sport. The good guys and the bad guys both know that they are in the game.

Joseph Loomis, CEO of CyberSponse, works closely with the cyber units at the FBI, DHS and Secret Service described this trendy new cyber sport in which the good guys try to entrench themselves into the world of the dark web.

“You want to understand the psyche of the adversary and what motivates them,” Loomis said.

Whether hunting for known or unknown threats, “You typically look for what someone has to gain. The unknown that’s nearly as important as what the gain is. When looking at adversaries whether it’s initiatives or groups, you need to know what drives them,” he said.

This collection of threat intelligence will drive how an enterprise does a threat hunt.

While hunters deep in the dark web can’t break the law to enforce law, they can, said Loomis, “Flip bad guys into good guys because they are already trusted.” These informants are already in the lines of communication and know what bad guys are looking for.

One of the most high profile bad guys turned informant is the nefarious Albert Gonzalez. Larry Johnson, senior vice president at Nehemiah Security and former Secret Service agent recalled the days when Gonzalez was offered a deal.There had been some high profile attacks in which a couple retailers were hit hard, which was a turning point in cyber crime, said Johnson.

"Back then, all cyber crime was financial crime," Johnson said. In the early part of the 21st century, though, criminals realized the gains that could be garnered by hacking into enterprises across industries.

Though he had been arrested for a petty crime, police found a collection of laptops and other equipment when they searched Gonzalez's home.

"We flipped him because he was arrested by a New Jersey police department. Our guys from the New Jersey office went out and found out that he was involved in one of the ShadowCrew carding gangs, an online forum where hackers traded secrets," Johnson said.

It was around the time of Gonzalez's arrest that the FBI and Secret Service started handling more cyber crime cases involving national security, organized crime, identity theft, computer fraud, and access device fraud. Flipping informants proved to be a good strategic move.

If Gonzalez hoped to have the charges against him dropped, he had to cooperate, which gave rise to the government agencies involvement in threat hunting. Certainly the goal of the FBI and Secret Service was to find and arrest the criminals, but the average enterprise really just wants to protect itself against known and unknown threats.

Loomis argued that, “Automation is the future of cybersecurity,” but other security practitioners said that threat hunting will always rely on the human factor.

Specifically, Neumann Lim, senior information security systems engineer at D3 Cyber, said, "It's a war of attrition. One human versus another. What they put in their code, we need to find out what it is, what it’s doing, and what they can take."

Hunting the known threat is a little bit easier than pursuing the unknown. "When hunting known threats, they have already been discovered through signature or indicators of compromise," said Neumann. Unknown threats can be more time consuming because it's like searching for a needle in a haystack.

A challenge with threat hunting for many of the good guys is that legislation prevents a lot of threat hunting on the good guys side. "When you hunt for threats, you need to do a little bit of offense. Probe networks to find out what things are happening and where they are occurring. Both Canada and the US say you can’t do that, even if your intentions are good," said Neumann.

Taking this moral high ground somewhat handcuffs what responders can do. "If we look at an IP that’s been attacking us for 24 hours, we can determine that it looks like it’s coming from Russia. Is it really Russia? Without probing that trail, we may never know," said Neumann. Knowing your opponent and how they fight is the key to beating them.

In order to know an adversary, there has to be a human being involved at every level of the hunt. SANS Institute course author and instructor and CEO of Dragos Security, Robert M. Lee said, "There are a few core components to threat hunting. It has to be a dedicated focus. Security analysts can’t be writing reports. It's analyst driven and you can’t automate."

Robert M. Lee, CEO of Dragos Security

At the beginning and end of a threat hunt, though, Lee said, "There has to be an analyst asking questions. A general core component of any activity is a hypothesis of where an adversary might be. Threat hunting is the process of engaging in the answer."

It's easy to get caught up in the new trends in search of the cyber security silver bullet, but Lee warned, "There are not many companies dedicating teams solely to hunting, but there is so much work to be done. A lot of these smaller companies don’t have the same threat landscape."

Fortune 250 companies have a very different risk level from SMBs and local mom and pop companies. "Everybody wants to gravitate to the new shiny thing, but there is a whole gradual scale. A sliding scale of cyber security. We see some companies say wow that’s cool, but neglect architecture and don’t get as much return on investment. There is a maturity scale to all of this," said Lee.

In his blog, Enterprise Detection & Response, David Bianco shared a simple hunting maturity model to help organizations determine where they are in their security maturity process and whether investing in threat hunting platforms would yield a strong return on investment.

According to Lee, not many people do threat hunting correctly, which he attributes to the intense market pressures of the security industry. "You hear a lot about the adversary is evolving but defenders aren’t. The thing is, most adversaries don’t have the need to innovate," Lee said.

Because no company wants to come out and say they got hacked by a super basic adversary, it's easier to use a doomsday smoke screen. The fear of sophisticated hackers innovating faster than defenders imbues a dependence on products, Lee said. "In reality, we are actually seeing defenders make huge strides. Defense is more and more do able; however, the marketing pressures of that can quickly bastardize the industry," Lee continued.

Because both the good guys and the adversaries know that they are in the game of threat hunting, the sport will always demand human intelligence. Lee said, "It is harder to talk about the upside of the industry because that doesn't sell, but the industry as a whole is drastically getting better. What it boils down to is that the threat is a human. The whole concept of the hunt understands that. Only the humans are going to defend that architecture."

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityhacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Kacy Zurkus

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?