Threat hunting explained: Taking an active approach to defense

With attackers lurking undetected in systems for months at a time, threat hunting is becoming an essential element of security.

analyze / inspect / examine / find / research / magnifying glass
Thinkstock

Selim Aissi has gotten more aggressive.

Aissi, CISO at software company Ellie Mae, has his security team searching for intruders trying to sneak into his enterprise systems and working to root out any that might be hiding.

He wants to shut attackers down before they have a chance to act.

selim aissi 1200 Selim Aissi

“It’s about making prevention more productive,” he says. “It’s not passive, like detection. We’re proactively searching for these threats so we can isolate them. That’s what makes threat hunting a truly active defense.”

Aissi is one of a growing number of CISOs who have added threat hunting to their cybersecurity programs, seeing this approach as a way to identify intruders who have either eluded monitors or are so new that they’ve yet to set them off.

Threat hunting definition

Threat hunting is the practice of proactively searching for threats that are hiding in an organization's systems. Experts say threat hunting is becoming an essential element of enterprise security that builds on conventional perimeter defenses that, while still important, are far from foolproof.

Gregory J. Touhill, adjunct faculty member, Carnegie Mellon University’s Heinz College of Informatio Gregory J. Touhill

“The perimeter defense model of security leaves organizations exposed to attacks from the outside and the inside, so CISOs have to make the assumption that they have an attacker in their midst, so you want to be proactive and look for signs of those who are lurking in the shadows,” says Gregory J. Touhill, adjunct faculty member at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy and retired U.S. Air Force brigadier general who served as the first federal government CISO during the Obama administration.

Certainly, security teams have always been tasked with identifying threats to the enterprise and shutting down those that have made their way past organizational defenses.

But security teams historically identify threats once they’ve made themselves known in some way, such as when they’ve tripped an alert from a monitoring system within the security operations center (SOC).  “The average time in system before detection is more than 100 days, so there’s a need to look for that activity,” says Mike Ortlieb, a director of security and privacy at management consulting firm Protiviti. “But threat hunting allows you to thwart the attackers before they succeed.”

To continue reading this article register now

The 10 most powerful cybersecurity companies