Threat Hunting is an Imperative Despite Challenges in Definitions, Data and Skills

how to stop a cyberattack

by Ben Levitan

If you asked 10 people for a definition of “threat hunting” you’d get 10 different definitions.

For some, the term threat hunting is old wine in new bottle. For others, it’s a luxury amid the fast pace of a security operations (SecOps) organization.  For still others, it’s unpacking payloads and sifting through the data, later, when you have time.

But you never have time later in cybersecurity, and so threat hunting is none of these things.  Yet it remains an essential component of a security posture that deserves the industry’s attention and petitions cybersecurity professionals to adapt with new skills and sophisticated tools.

Threat hunting is identifying and sneaking up on an enemy that’s already inside your perimeter when they aren’t expecting it.  This technique is an improvement on merely waiting for alerts to go off, which is nearly synonymous with allowing bad actors to infiltrate, bide time, and choose their moment to attack. As the saying goes, sometimes the best defense is a good offense.

At this point, I should declare that I subscribe to the SANS Institute philosophy of threat hunting which is the following:

Threat Hunting is about placing an appropriate, dedicated focus on the effort by analysts who purposely set out to identify and counteract adversaries that may already be in the environment.

Legacy Views of Threat Hunting

Years ago, threat hunting was the domain of expert analysts and consultants. These talented people had experience, situational awareness, and perhaps a sixth sense, that was paramount to the task.

Unfortunately, they were limited by rudimentary tools to get the job done.  With the exception of perhaps some government agencies, few had access to the analytics or threat intelligence that’s commercially available today.

As a result, threat hunting was reduced to a task that many SecOps personnel performed, but never quite at the level they wanted to, or knew they needed to perform.   Ask any SecOps professional and ‘they knew in their gut’ that they were compromised, but didn’t have the data, tools, or manpower to pursue their hunches.   So, the default mode that’s been etched in the minds of security professionals is to wait for an incident and then react.

The Skills Gap in Threat Hunting

What has changed in recent years is that new technologies have come into the market to automate key portions of the problem, particularly in the area of payload inspection.  However, based on recent discussions with CISOs and market analysts, it is clear that the gap still exists.

Many point to the shortage in cybersecurity skills. More specifically, in analytics, which is very important to threat hunting, IBM predicts that by 2020 there will be 28% demand spike for data analysts and scientists. Adding to this is the overarching problem of data quality, which is already a persistent challenge in security reporting.

Even the most sophisticated organizations are struggling to build a decisive, and sophisticated threat hunting strategy. Yet it doesn’t have to be that way, because despite the security skills shortage – new tools and techniques have emerged to manage the data and to arm the security analyst with better tools.

Newer Technologies Assist with the Skills Gap

The better security solution providers are already working to simplify processes – such as complex network and metadata analysis – and include it as part of the SecOps workflow.  Examples of new threat hunting use cases include network threat analysis and metadata analysis which puts simplified and powerful capabilities in the hands of the security analyst.

This means the SecOps team does not have to stop, mid-incident, to analyze the goals and tactics of an attack.  In other words, the right information is being provided in real time, as part of the triggering alert, and threat hunting practices can be gradually integrated into the process.

The output must also be presented in a way that is easily understood by SecOps, and not restricted exclusively to the data analyst or scientist.  It’s not enough to merely have the tools available to perform threat hunting.  Instead these tools must also be easily integrated into the process, share data with other tools and enhance the value of the overall security portfolio.

If we as an industry are to get ahead of the today’s attackers, then we are charged with treating threat hunting as an important discipline. It is not a luxury and it’s not something to put off until later.  Modernized security tools can go a long way toward filling in the skill gaps and thereby enabling people, better process, and augmenting existing security technologies.

* * *

This blog was written by Ben Levitan. Mr. Levitan an investor, tech executive and four-time-CEO.  He currently serves as President of Cedalion Partners and is a member of the Bricata Board of Directors.  He can be reached via email at ben -at- cedalionpartners -dot- com. 

Note: Mr. Levitan will contribute to a session titled “Winning the Risk/Security Revolution: A Bootcamp” at the SecureWord (PLUS) conference in Boston.  The session will be held on Thursday, March 15, 2018 from 8:00 – 9:30 a.m. in room #108.

Share this post:
Share on LinkedInTweet about this on TwitterShare on RedditShare on Google+Share on FacebookEmail this to someone
Back to Blog


The Bricata Comprehensive Network Protection Platform Earns FIPS 140-2 Validation for Encryption
NIST Has Issued Certificate #3325 to Bricata, Completing Rigorous FIPS 140-2 Testing Process for Deployments in U.S. Federal Government
+ +