February 1st, 2024

Threat Hunting Explained, and Why MSSPs Should Offer It

By Jeffrey Burt – MSSP Alert

Not long ago, organizations could use security tools like antivirus software, network intrusion systems and endpoint detection and response (EDR) to stave off cybercriminals and their malware. They’d look for attacks using signature-based detections and set off alerts if something malicious but familiar came across the transom, and security pros could then scramble to fight back.

The days of relying on such reactive measures are over. Modern malware is highly adaptable and the increasingly sophisticated adversaries are adept at slipping their malicious payloads past such traditional security products — or at least avoiding them. There are signature-based techniques — think polymorphic malware and file encryption — and ways to hamper security analysts and systems from getting a bead on malware (code obfuscation and VM detection).

The bad guys can also insert malware into legitimate code (DLL and threat injection), change the behavior of their code to evade detection (such as checking for sandboxes), and have their fileless malware run in a system’s memory (memory-based execution and living-off-the-land, or LOLbins).

IBM notes that traditional automated tools and security operation centers (SOCs) can protect against as much as 80% of threats. But it’s the other 20% that need new and more proactive approaches, given their levels of sophistication and the amount of damage they can do. High up on that list of proactive, find-them-before-they-get-you tools is threat hunting.

Searching for Elusive Threats

Threat hunting essentially is searching for threat actors and malware that already have slipped by the defenses and are sitting in the network. Advanced persistent threat (APT) groups and other hackers, once in, can spend months moving laterally around a network and sifting through confidential or personal information, credentials, trade secrets or similar data.

IBM says such bad actors can stay in a network avoiding detection for an average of 280 days. Threat hunting is aimed at rooting them out before they can do much damage. It can help shorten that dwell time.

Threat hunting is a function within a larger cybersecurity program and is used in conjunction with — and parallel to — many of the traditional security software. The information generated by network analytics, incident detection, response, and remediation, and similar tools give threat hunters a place to start.

It’s a complementary process that looks to analyze the data collected by those tools through hypotheses, queries and automation to draw out leads to start pursuing, detect anomalous behavior within the network and follow the trail of threats that have to that point existed without being uncovered.

The Market for Threat Hunting Services

The threat hunting space is due for an accelerated expansion, thanks to the rapidly changing cybersecurity landscape, the increased number and sophistication of threats and bad actors, an increasingly digital nature of business and the evolving work environment.

Analysts at Future Market Insights expect the global threat hunting market will grow an average of 18.6% a year between 2023 and 2033, from almost $2.4 billion to more than $13 billion. Almost any enterprise can take advantage of threat hunting services to root out previously undetected threats in their networks, shorten investigation times, accelerate response times and improve their cybersecurity posture.

Much of the market growth will come in large part from the accelerating need of organizations in sectors under increasing attack from ransomware and other threats.

“Rising focus on improving safety across industries like BFSI [banking, financial services, and insurance], telecom and IT, healthcare, and manufacturing is a key factor driving demand for threat-hunting solutions in the market,” analysts wrote in the Future Market Insights report, adding that the pandemic-fueled shift to remote and hybrid work also is contributing to the growth.

Rapid7 pointed to a 2017 SANS Institute survey that found only 31% of organization had dedicated threat hunting staff, while that number jumped to 93% four years later. The reason? The sheer number of attacks on enterprises continues to skyrocket, the service provider said.

MSSPs and Threat Hunting Services

Given the expected growth and the need for specialized threat hunting capabilities at a time when skill cybersecurity talent is hard to come by, it’s not surprising that most MSSPs have added proactive threat hunting to their already expanding list of services.

Most of the service providers among the first 20 of MSSP Alert’s 2023 list of the top 250 MSSPs include 24/7 continuous threat hunting in their services offerings, with most including a combination of tools and human insights and being housed in their managed defense and response (MDR) packages. A sampling of other MSSPs uncovered similar services.

The arguments for turning to an MSSP for threat hunting rather than doing it in-house echo those for other services: threat hunting takes particular expertise that may not already be available among an enterprise’s security team and could be difficult and expensive to bring in from the outside. And as mentioned, most MSSPs already offer the service.

Key Tools for Threat Hunting

There are a number of tools MSSPs must have to run their threat hunting services, starting with security information and event management (SIEM) solutions. They give threat hunters real-time analysis of threats along with tracking and logging of security data, which they can use to get a head start investigating anomalies within the IT environment.

SIEM also brings much of the necessary automation and analytics for churning through the massive amounts of data collected by security technologies, all of which is heightened by the integration of AI and machine learning techniques.

Also in the mix are monitoring tools like firewalls, intrusion detection systems (IDS), user and entity behavior analytics (UEBA), cloud monitoring and antivirus solutions. Threat hunters can crunch the data and analytics collected by these tools to track down leads and scale their work.

Threat Hunting Vendor Solutions

MSSPs have no shortage of vendors that come with both a threat hunting service offering and MSSP programs in place. Established IT giants like Microsoft, through its Defender services, and Cisco System via its Umbrella cloud-delivered services, both offer threat hunting capabilities to MSSPs.

Similar offerings can be found with a broad array of cybersecurity vendors such as CrowdStrike, Cybereason, Recorded Future, and Google’s Mandiant business as well as network-focused companies like Palo Alto Networks.

Threat hunting is the tip of the spear for organizations adopting the more proactive cybersecurity efforts needed at a time when the dangers of ransomware, extortion and other attacks are mounting and sophisticated and well-funded threat groups continue to develop ways to sneak their malicious code into networks under the noses of traditional security tools.

As demand for threat hunting capabilities grow, MSSPs that want to stay competitive is the ever-evolving landscape will have to offer such services or risk falling behind their rivals.