What is ‘Hunting’ in Cyber Security
Is more hunting needed if we have fewer security products or more security products? That was a question we recently asked that resulted in a strong internal debate. We arrived at a consensus, but before I reveal that, let me clarify what we mean by hunting.
What Is Hunting?
Hunting can be of two types: discovering attacks or confirming attacks. The attack discovery type of hunting is focused on finding if any attack has bypassed installed security products. Given that most of the installed security products work on some type of rules, the advanced attacks will usually bypass them. Even in a non-rule based system like anti-APT, products will get bypassed due to encryption or sandbox evasion. The hunter uses specialized tools and platforms to detect them, including a big data security analytical platform.
The attack confirmation type of hunting starts with an alert that has been triaged and forwarded for further investigation. Here the hunting is focused on finding out what the impact was, who the attacker was, what the blast radius is, and who patient zero might be. I would call this “investigation analytics” rather than hunting.
Attack Discovery Hunting – More Products Less Hunting
The question with attack discovery hunting is does it decrease with more products or increase? Since a hunter will try to limit the discovery to only those areas where a security product is not monitoring or preventing an attack, it means the hunting will decrease as more products are installed. If an anti-APT is installed, your hunting for unknown malware should go down. If UBA is installed, your hunting for lateral movement should decrease. If a hunter is using a big data analytics platform to discover complex patterns, abnormalities, or outliers then their discovery models and efforts will decrease as more security products get introduced. Of course it can never go to zero, as every product will get bypassed, but there will be a reduction.
If a hunter is using a big data analytics platform to discover complex patterns, abnormalities, or outliers then their discovery models and efforts will decrease as more security products get introduced.
Alert Hunting – More Products More Hunting
However, another interesting thing starts happening with more products, specifically more detection products, and that is they add to the alert volume. As we all know, no SOC has a large enough team of analysts to investigate all alerts. So, alerts will be triaged and as industry statistics show, some 2% to 5% of them will be investigated while the remainder will be overlooked. The danger lies in how a hunter will think about these. While these un-investigated alerts may look innocuous individually, in conjunction with other alerts they may indicate a slow and low attack campaign. In that case, a hunter would begin trying to unearth an attack through linking these alerts, clustering them, finding associative patterns or probabilistic chaining of alerts. Therefore, the more products you put in place, the more alerts get generated and more hunting is needed for all of the alerts that did not get investigated.
So, it’s a see-saw game: more products leads to more alert based hunting and less products leads to more attack discovery from passive sources like proxy, netflow, packets, AD and user traffic. The consensus we arrived at was that you can’t eliminate hunting in a modern SOC. But is the debate really settled? After all, consensus is what you agree on in a group but disagree with privately. Let us know what you think.
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000