How human-led threat hunting complements automation in detecting cyber threats
In this Help Net Security interview, Shane Cox, Director, Cyber Fusion Center at MorganFranklin Consulting, discusses the evolving methodologies and strategies in threat hunting and explains how human-led approaches complement each other to form a robust defense.
Cox also discusses the ongoing need for skilled threat hunters and the future challenges and opportunities in integrating human intelligence with advanced automation.
What are the primary methodologies used in threat hunting? How do they complement each other?
Human-led threat hunting employs various approaches to detect and mitigate sophisticated cyber threats that automated tools alone might overlook. These methodologies complement one another to provide a comprehensive detective strategy.
Hypothesis-driven hunting allows for in-depth, proactive investigation, while Indicators of Compromise-driven (IoC) and entity-driven methods ensure that specific and high-value threats are not overlooked. The identification of Indicators of Behavior (IoBs) bridges the gap between known threats and emerging tactics, providing needed flexibility and speed to respond to emerging threats.
The main techniques include:
- Hypothesis-driven hunting: This method develops hypotheses based on known attack patterns, tactics, techniques, and procedures (TTPs). It uses frameworks like MITRE ATT&CK to systematically search for signs of malicious activity, taking a structured and proactive form of threat detection.
- IoC-driven hunting: This reactive method targets specific attack indicators, such as unusual IP addresses or file hashes, that could signal a breach. While it’s effective in identifying known threats, it often misses new or evolving tactics that do not fit pre-existing profiles.
- Entity-driven hunting: This methodology focuses on protecting high-value or high-risk entities within an organization, like privileged accounts or critical databases. By prioritizing these targets, threat hunters can defend against insider threats or sophisticated attacks on the organization’s most vital assets.
- Behavior-based hunting for IoBs: IoBs refer to the subtle actions and patterns that suggest a threat actor is present in the system, even if no specific IoCs are detected. Human-led threat hunting is key to identifying these behavioral patterns, as automated tools often lack the contextual understanding to spot these nuances. For example, a sequence of legitimate actions taken in an unusual order or frequency might be dismissed by automation but could trigger suspicion for a skilled hunter.
With the increasing automation in cybersecurity, what is the role of human intelligence in threat hunting? Why is the human brain still considered the most effective detection engine?
Automation has transformed large-scale data analysis and detection of known threats with speed and accuracy. However, the role of human intelligence in threat hunting remains irreplaceable, especially when identifying IoBs.
IoBs are patterns that suggest malicious intent, even when traditional IoCs aren’t present. These might include unusual access patterns or subtle deviations from normal procedures that automated systems might miss due to the nature of rule-based detection. Human threat hunters excel at recognizing these anomalies through intuition, experience, and context.
The combination of automation and human-led threat hunting ensures that all bases are covered. Automation handles the heavy lifting of data processing and detection of known threats, while human intelligence focuses on the subtle, complex, and context-dependent signals that often precede major security incidents. Together, they create a layered defense strategy that is comprehensive and adaptable.
How important is it to have seasoned, battle-tested threat hunters on a cybersecurity team, and what challenges do organizations face in finding such talent?
Skilled threat hunters are essential to a successful cybersecurity team. Their experience and deep understanding of adversarial tactics help to identify and respond to threats that would otherwise go unnoticed. Their intuition and ability to adapt quickly to new information also make them invaluable, especially when dealing with advanced persistent threats (APTs).
However, the demand for skilled threat hunters far exceeds the supply. The ongoing cybersecurity talent shortage makes it difficult for organizations to find and retain these professionals. The high stress and intensity of the role further worsen retention challenges. To address these issues, organizations must invest in continuous training, offer competitive salaries, and foster a supportive and flexible work environment.
How do you measure the success of a threat-hunting program? What metrics or KPIs are most indicative of an effective threat-hunting operation?
Measuring the success of a threat-hunting program involves using both qualitative and quantitative metrics:
- Reduction in dwell time: This is the time an attacker remains undetected within a network. A significant reduction in dwell time indicates a more effective threat-hunting operation.
- Number and validity of incidents detected: A higher detection rate of valid threats, especially those involving subtle IoBs, suggests a successful program.
- Improvement in automated systems: Effective threat hunting often leads to better-tuned automated systems, reducing false positives and improving overall security posture.
Overall, the integration of human-led threat hunting with automation creates a feedback loop where insights from hunts enhance automation detection, and improved automation frees human hunters to focus on the most challenging and ambiguous threats.
How do you see the future of threat hunting? What new challenges and opportunities do you anticipate?
Future threat hunting will deeply integrate automation with human intelligence. As attackers increasingly use AI to scale their efforts, threat hunters must adapt their strategies to stay ahead. This includes leveraging AI and machine learning to enhance their capabilities, such as identifying unusual behaviors that could signal hidden threats.
The focus on IoBs will remain critical, as these subtle signals often precede major attacks. Human-led threat hunting is essential for interpreting these signs and adjusting to evolving adversarial tactics. The growing complexity of IT environments—driven by cloud computing, IoT, and remote work—will add layers of difficulty to threat detection and response.
While automation will play a larger role in threat hunting, humans will remain key to uncovering and responding to sophisticated threats. The future of cybersecurity relies on a balanced approach that combines the strengths of automation with human insight, ensuring comprehensive defense against ever-evolving cyber threats.