A cyber threat hunting solution should not simply be another layer of real-time detection. There are significant differences in the goals of a real-time detection tool (like antivirus) and a pure threat hunting solution. This article explores the top ten business requirements for selecting an enterprise cyber threat hunting solution.
By Chris Gerritz, Co-founder and Chief Product Officer at Infocyte
Threat hunting—traditionally a highly specialized skillset—is now entering conversations about enterprise endpoint security. Within the realm of endpoint security, Threat Hunting Platforms complement your existing cybersecurity defenses (like EDR, EPP, AV, and UEBA) by approaching endpoint security from a different angle…
The practice of threat hunting is a proactive approach to cybersecurity, whereby a hunter forensically inspects the endpoints on your network for indications of compromise, threats (malware, ransomware, breaches, etc.) and vulnerabilities. Traditionally, it’s a very time-consuming process; however, threat hunting platforms like Infocyte HUNT have automated and simplified the process of threat hunting, enabling enterprise security teams to hunt an entire network in as little as a day.
Threat hunting solutions produce, sort, and score “leads” (threats) into suspicious activity and adversary presence. A threat hunting solution should not simply be another layer of real-time detection. There are significant differences in the goals of a real-time detection tool (like antivirus) and a pure threat hunting solution.
For example, enterprise antivirus and real-time intrusion detection solutions focus on actionable alerting of attacks in progress while minimizing false positives. Threat hunting solutions, on the other hand, focus on two things:
Post-compromise behavior and indicators of compromise (i.e. as described by MITRE ATT&CK).
Enable proactive and effective investigation into anomalies, outliers, and other suspicious activity which may have not produced an actionable, high confidence alert.
The following goals are examples tailored for a typical enterprise which has to balance budgets, time, manpower, and skills.
An ideal enterprise threat hunting solution:
Should produce, sort, and score leads into suspicious post-compromise activity or indicators.
Should enable a quick path to verify and investigate those leads to a conclusion.
Must provide answers to questions that were previously unanswerable.
Must not cause outages on the way to those answers [low business impact]
Must not take a team of engineers to support.
Must be accessible and approachable to a wide level of skill and experience.
Must be cost effective; must not take excessive resources to deploy, staff, and fund.
Must find things related to a real adversary you are likely to find in your environment.
Should provide data and conclusions useful for responding or mitigating a discovered compromise.
Should scale to the maturity of the organization.
To learn more about cyber threat hunting and request a live demonstration of Infocyte’s Threat Hunting and Incident Response Platform, Infocyte HUNT, please visit infocyte.com.
About the Author
Chris Gerritz, a retired Air Force officer and service-disabled veteran, is a pioneer in proactive cybersecurity operations, having stood up the U.S. Air Force’s first interactive Defensive Counter Cyberspace (DCC) practice. After medically retiring from the Air Force, Chris helped co-found Infocyte and develop the leading independent Threat Hunting & Incident Response platform, Infocyte HUNT.