Machines won’t replace threat hunters until they master this one skill - Lacework

Machines won’t replace threat hunters until they master this one skill

Allie Fick, Security Reporter

November 22, 2022

Could technology replace your job? This question has crossed most of our minds, regardless of which industry we work in. It’s difficult not to notice that machines have taken over many tasks once run by  humans—like the customer service bot you chat with when trying to cancel a subscription or the self-checkout machine you use at the grocery store. As a writer, I wonder if artificial intelligence writing tools could make my own job obsolete. Even those in the world of cybersecurity are wondering where those boundaries lie. That’s in large part because with the world’s growing focus on cybersecurity, we’re seeing increasingly more threat detection tools with advanced capabilities. This raises the question—could the tools we use to detect threats replace the people who investigate threats? What do threat hunters do that cybersecurity tools can’t? Before we can answer that, we need to understand who threat hunters are and what exactly they do.

Are threat detection and hunting the same? 

Threat detection and threat hunting sound almost identical, so it’s not surprising that people make the mistake of using the terms interchangeably. Although they sound similar, they are different yet complementary processes. Threat detection refers to identifying known security issues in an environment; this process is usually performed automatically by threat detection tools. Whereas threat hunting is a process performed by a person to find new, unknown security threats. 

Regardless of how advanced or effective threat detection tools are, there are always going to be bad actors trying to develop new ways to get past them. This is where threat hunting comes in. Threat hunting is looking for the unwanted or malicious behavior that security tools either miss or don’t know to look for.  

Hunters have a unique skill set 

Threat hunters proactively find and respond to security issues and act as an early warning system—effective hunting requires a specific expertise. Many threat hunters first work as security analysts before moving into incident response or cyber threat intelligence roles. 

“Threat hunting is one of the most advanced skill sets one could obtain in information security today,” Rob Lee, chief curriculum director and faculty lead at SANS Institute said in an interview with CSO

“The core skills of a threat hunter include security operations and analytics, incident response and remediation, attacker methodology, and cyber threat intelligence capabilities.” 

Compare them to doctors

Threat hunters are often compared to actual hunters, but to understand what they do, it’s also helpful to compare them to doctors. Doctors use your medical records to understand what’s normal for you, like your weight, height, blood pressure, etc. At your yearly check-up, they check your vitals, ask you questions, and perform a physical exam to make sure everything looks normal. If you have a family history of a certain issue, they pay special attention to that area. If something is abnormal; for example, if you have high blood pressure, they’ll investigate further and possibly take a blood test or ask you to come back for a follow-up appointment to figure out the cause. They’re proactively addressing potential problems by viewing data from the past, examining you to see what’s going on now, and anticipating what could happen next. 

Threat hunters do this same thing—instead of waiting until they receive an alert about a security issue, they actively look for threats in an environment. But unlike a yearly check-up at the doctor, threat hunters are constantly looking for new threats. They determine where and when bad actors are likely to attack and then try to find them. Once they find the attackers, they don’t just get rid of them, they also use what they learned about those threats to improve and make new rules in threat detection tools. They look at the path the attackers took to bypass security, and then use that information to strengthen their security so it can’t happen again. 

Data is their hunting ground

Threat hunting always starts with visibility. You can’t find threats without a place to start hunting and in this case their hunting grounds refer to anywhere you can find enough data. According to Cybersecurity Insiders’ 2022 Threat Hunting Report, the most popular data sources for threat hunting today are endpoint activity, firewall/IPS denied traffic, and system logs. Data is only useful if it’s gathered consistently—just occasionally gathering information about an environment and checking for certain things isn’t enough. Continuous records of what’s happening are necessary to find threats.  

To gather high-quality data, hunters need to use resources (technology and people) appropriately. Automation should replace repetitive tasks, like scanning logs for certain usernames or IP addresses. Tasks can be automated because you’re searching for known information. Machine learning should be used to identify and prioritize anomalous behavior. As you’re gathering more and more information about your environment, machine learning should be used to alert you if anything unusual is happening. From there, hunters can research and address events appropriately. 

Visualization tools also help hunters sort and understand large data sets. Instead of focusing on individual alerts or pieces of data, threat hunters look at the big picture to identify patterns and try to determine where an attacker is headed and why. Connecting the dots between abnormal behavior is how they eventually discover the threats. Regardless of how advanced a tool is or how skilled a hunter is, they won’t be able to understand the threat without sufficient data.  

It’s trickier than it seems

Threat hunting is hard because although hunters aren’t sure exactly what they want to find, they need to know what they’re not looking for. By knowing what they don’t want, they can then filter that information out, eventually leading them to something that’s worth investigating. 

Co-founder/CTO of Obsidian Security Ben Johnson compared threat hunting to booking a flight. When you’re searching for a flight—you input your origin, destination, and date. Your results might show you that there are 100 flights to choose from. From there, you filter the results to show only nonstop flights, and then you choose your preferred airline to narrow your search. Then you filter anything that’s too expensive. Eventually, you have only three flights to choose from. You’re getting the big picture, finding the things that look interesting, and then investigating further. Tools and technology can help you with the filtering portion of hunting, but once you get to those final three, you need to make a decision based on what you think will be the best flight for you. 

How hunting has changed

One of the first articles that described threat hunting in the cybersecurity sense was published in 2011 by security strategist and author Richard Bejtluch, who said that using unstructured, creative approaches are necessary to protect against cyber threats. “This idea of developing novel methods to detect intruders, testing them into the wild, and operationalizing them is the key to fighting modern adversaries,” he wrote. 

We’ve been using some of the same threat indicators to find and trace attackers for the past 10 years, such as suspicious domain names, IP addresses, and file names. But technology advancements have also introduced new threat indicators, for example, behavioral anomalies such as unauthorized access attempts. Threat hunters’ end goal has also remained mostly the same—to find new indicators of compromise. But what they do with those indicators is different today. While 10 years ago hunters would communicate indicators they discover to incident response teams so they could monitor or block them, today, after hunters address the issues, they also use that information to improve security tools by generating rule sets or other automation that can alert them about similar threats. 

What do threat hunters have that technology doesn’t? 

If we’re continuously using the threats we find to improve our detection technology, will tools eventually be about to outsmart attackers? 

Not anytime soon, because humans have a skill that technology does not. 

“I would say curiosity is the number one trait of a successful threat hunter, and until computers can be programmed to be curious then humans can’t be replaced,” Chris Hall, cloud security researcher at Lacework, said. “My former business partner had a good analogy—he said the best threat hunters will touch a wall that has a wet paint sign.”

Threat hunters are human complements to threat detection tools. Because humans have the ability to understand the business they’re working with and how certain data is important to the business it allows them to use that knowledge to form hypotheses about what bad actors want and how they might get there. This requires a critical mind, investigative thinking, and information security knowledge–something the robots just don’t have.

Technology has a time and a place in this process. Security automation can and should be used appropriately to maximize the capabilities of your security teams. Technology to triage alerts will help your teams prioritize the threats they respond to instead of being flooded with millions of alerts. Automating repetitive tasks like scanning for known threats helps you to detect and respond to known issues much faster than you would be able to manually. 

Why threat hunters are here to stay

Today, nearly 90% of organizations agree that threat hunting should be a top security initiative. Human and machine expertise together create the most effective threat hunting plan. Technology helps threat hunters do their jobs faster, smarter, and more effectively; but ultimately, it is human analysis that provides valuable context when dealing with potential threats. Bad actors will never stop trying to find new ways to attack, and because of that, we need machines to help us focus on what needs to be done while threat hunters use their critical thinking skills to resolve the issues and prevent them from happening again. 

Until all threats are accurately flagged and eliminated by technology, we need humans with the right tools and expertise to keep up—and that means using automated processes as well as having teams with the correct skills, training, and experience.

Threat hunting is a human-driven process and while it’s not impossible, machines won’t replace the task anytime soon. 

Where to learn more

Attackers are constantly improving their skills, so it’s important to be aware of methods and avenues they’re using in order to stay one step ahead of them. Lacework Labs’ Cloud Threat Report published last month explores the techniques attackers are using along with measures you can take to protect your business. Alongside the report, we released Cloud-Hunter, which is an open source threat hunting tool designed by our threat hunters to help security researchers quickly find and analyze data within the Lacework platform.