Skilled operators make all the difference in incident response and threat hunting. With talent scarce (and expensive), however, managed threat hunting teams may be worth a look, writes Scott Taschler of the firm Crowdstrike.
As we discussed in “Uncovering the Unknown Unknowns,” threat hunting is a critical discipline that more organizations are using to disrupt stealthy attacks before they become mega breaches. In many organizations, threat hunting becomes the last, best line of defense, leveraging human knowledge, experience and intuition to detect threats that carefully crafted, automated layers of defense cannot.
While threat hunting is a straightforward exercise, it can be challenging to staff properly. Effective threat hunters come with years of experience and battle scars from regular engagements with their adversaries. There is a well-known skills gap in cybersecurity. Skilled hunters don’t come cheap, and can be difficult to retain. Managed threat hunting services are tailor-made to fill this critical gap for organizations of all types.
Managed threat hunting, sometimes called “managed detection and response” (MDR), makes up a small but important part of the managed security services market.
With managed threat hunting, you are engaging a team of expert threat hunters for a simple, but important task: to continuously sift through your enterprise security data, looking for faint signs of the most sophisticated attacks.
Is This Just Another MSSP?
Onboarding a managed security service provider (MSSP) can be a daunting project. Organizations who have experienced challenges using MSSPs for security monitoring in the past might rightfully ask the question, “Does managed threat hunting make sense for me?” Managed threat hunting has some key features that make it easy to deliver quick wins for organizations of all types:
- Organizations are unique. The adversaries and their TTPs (tactics, techniques and procedures) are not. Many times, when a managed security service project fails to deliver value, it’s because of the massive complexity involved in communicating and integrating two disparate security organizations. Threat hunting is a much simpler, more constrained problem. A well-equipped threat hunter can be very effective at identifying and communicating about threats without needing a deep, encyclopedic knowledge of your enterprise or a full company org chart.
- Skills make a difference. Security monitoring is labor intensive, but remains a relatively low-skilled task. An analyst can be trained and effective within weeks, which makes it feasible for many organizations to perform this in-house. Truly effective threat hunting, on the other hand, requires deep and broad expertise. Hunters can benefit from knowledge of topics such as forensics, Windows, Linux, Mac, foreign languages, network-based intrusions, host-based intrusions, and many others. Building depth in these skills can take months or years. Managed threat hunting services deliver immediate value and instant maturity without lengthy hiring and training cycles.
- Staff retention matters. Hiring a strong staff is only the beginning; keeping them engaged, challenged and interested in staying with your company must also be a constant focus. A quality managed threat hunting service is able to bring to bear tactics that less focused MSSPs can’t. They are able to invest in custom tooling and automation to make their rock stars as efficient as possible. In addition, they can offer the rewarding experience of direct observation and interaction with a wide range of today’s most advanced threats, creating the perfect conditions to attract and retain the most skilled hunters.
Separating the Good from the Indifferent
The world of managed security services is broad and confusing, and sometimes it’s difficult to sift through the buzzwords. Here are a few questions you can ask to get a clearer understanding of a potential service provider:
- How often is a human reviewing my data? If the answer is “once,” then you are looking at a one-time investigation service, not managed threat hunting. “Weekly” or “monthly” are of little value. Your attackers don’t take the weekends off and neither should your threat hunting service. Threat hunting is a continuous, 24×7 operation.
- What hunting leads drive your hunting activity, besides IOCs (indicators of compromise)? Every hunt begins with a lead, or a hypothesis. The simplest kind of threat hunts start with known bad IOCs (typically IP addresses, hashes, and domains), and searches through historical data looking for matches. In this kind of hunting, the human hunter is providing little added value in the process. IOC-based hunting is easy to automate, and doesn’t require a skilled analyst to drive it. Your managed threat hunting service should begin with the most current TTPs in use by today’s adversaries.
- What kinds of threats will you uncover for me? Services that merely provide prioritization and context around alerts from other security products are doing triage, not threat hunting. When used most effectively, threat hunting is focused on your visibility gaps. It reveals the threats you are least likely to uncover without expert help.
- How do you help me respond more quickly? An alert without context and recommendations is merely more noise in your daily queue. A quality threat hunting service will not just throw alerts over your cubicle wall. Your managed threat hunting service partner should not only alert you to emerging threats quickly, but also guide your response, coaching you on context and the most effective response actions.
- What do we learn in the process? Successful threat hunts shine a bright light on gaps in your security architecture, and provide valuable insights for future improvements. Too few organizations make effective use of these observations. World-class threat hunters drive continuous improvement by smartly solidifying defenses. Hunting down a threat once is a win; hunting it down a second time is a sad waste of human capital.
Done right, managed threat hunting can deliver instant maturity to your security operations center, uncover the most sophisticated threats, and do it at a low cost.
Editor’s note: an earlier version of this story provided an incorrect title for Mr. Taschler in a photo caption. The caption has been corrected. PFR Nov. 9 2018