“Additionally, threat hunters now have access to frontline intelligence that allows them to better understand their threat profile and tailor their threat hunting efforts to reduce real risk,” Pennino says.
The biggest evolution in threat hunting came out of needing to manage large volumes of data, says Aaron Walker, research manager for government trust and resiliency strategy at IDC Government Insights.
“Automation now plays a huge role in ingesting SIEM, application, network and other data to identify those indicators to respond to and remediate threats,” Walker says. “For example, the automated threat hunting tools can spot a threat actor who has been hiding on an enterprise network for weeks based on behavior, really a needle in a haystack, and provide recommended actions to revoke access and assess nefarious activity.”
As threat hunting has evolved, the discipline has shifted to using AI technology to assist in threat detection, says Robert Higham, director of threat detection research at Secureworks.
DISCOVER: Agencies are interested in how zero trust applies to artificial intelligence.
“The goal is to use AI to help you find things that you wouldn’t have found if you weren’t proactively looking in your environment historically through your logs and your current configurations,” Higham says.
2024 Is the Year of Continuous, Managed and Proactive Threat Hunting
The main difference between a few years ago and today — and perhaps the drive for the rise in managed threat hunting — is that “threat actors are becoming increasingly sophisticated and are leveraging advances in technology to execute malicious campaigns at scale,” Pennino says.
“By using an external threat hunting service, organizations benefit from not only the highly specialized skill sets that threat hunters bring but also the lessons learned in the field that then can be quickly applied to their environment,” Pennino adds.
The Cybersecurity and Infrastructure Security Agency may provide managed hunting services for some agencies, for example, Meyers says.
Since different agencies may use different cybersecurity tools, CISA has in the past developed platforms such as EINSTEIN to provide a common set of capabilities for agencies. That system has intelligence fed into it from sensor networks that companies such as CrowdStrike maintain, Meyers says.
“You get these concepts of loops feeding into loops, with threat hunting from our OverWatch team, and they can feed what they’re finding up to the government agency, the managed service provider,” he adds.
Threat Hunting Is Part of a Balanced Cyber Resilience Strategy
Threat hunting is not a “nice to have” element of cyber resilience, Higham says. Some in the industry think that detection and prevention measures must be perfected before adding in threat hunting, but he wholly disagrees.
“You take that hunting maturity model and you say, ‘What data do I have? What could I find if I looked in that data?’” Higham says. “And then, if you can afford it, partner with someone to help you out.”
MORE FROM FEDTECH: Tech partnerships are an intelligence community priority.
Threat hunting is part of a balanced cyber-resilience strategy, “as it can act as a backstop to provide coverage against adversaries that are evading traditional detection mechanisms,” Pennino says.
Not every tool, tactic or procedure “is easily codified in high-fidelity logic that can be easily reviewed by analysts,” he adds. “The process of threat hunting inherently offers broader coverage for threats by casting a wider net in search of anomalous or malicious activity.”
Threat hunting gives agencies the ability to test their defense-in-depth strategies, which indicate when and where adversaries are in the attack lifecycle, Pennino says.
“This provides agencies insight into where additional investment may be needed within their cyber programs to best protect their assets,” he adds.
How Federal Agencies Should Approach Threat Hunting
Agencies should take advantage of resources provided by CISA and other agencies “because their IT budgets are so strained,” Walker says.
“Agencies are expected to adopt threat hunting capabilities but weren’t provided with specified funding,” he adds. “Agencies should also look to their peers — including state, local and tribal entities who have received grant funding for threat hunting projects — and engage with the trusted partners that aided them in successfully implementing modern, continuous threat hunting programs.”
From a federal government perspective, the top threat actors are nation-states engaged in espionage, including China, Iran, Russia and North Korea, Meyers says.
Ideally, agencies would “leverage internal dedicated resources to conduct threat hunting across their organizations,” since such resources “possess unrivaled knowledge of the agency’s environment and can quickly recognize activity or behaviors that may be anomalous,” such as a remote access tool that is not approved or typically used, Pennino says.
LEARN MORE: These are the top cyberthreats facing agencies.
In reality, it is “almost always necessary to partner with an external organization that provides expertise in threat hunting,” he adds.
“These organizations can offer assessments to understand the current maturity of a threat program, training designed to upskill threat hunters and other areas of expertise that require specialized skill sets that do not always make sense to build in-house.”
