This article was originally published by Forbes on June 29, 2023.
If you search for definitions of threat hunting, you’ll see several variations, but they all center on one extremely mistaken idea—it is a form of proactive cyber defense. That can’t be further from the truth.
The consensus definition is that threat hunting is looking for and rooting out threat actors that have slipped past defenses, such as extended detection and response (XDR) platforms, antivirus solutions and firewalls. This idea makes threat hunting quite reactive vs. proactive. Threat hunting typically occurs during a cyber incident response process when financial and reputational damage has already happened.
I’m not advocating against the need for threat hunting. But organizations need to change their thinking that it’s proactive security. The mindset needs to shift towards vulnerability hunting, which allows organizations’ Blue Teams (defensive teams) to go on the offense by looking for issues before nefarious actors find them.
Who Knows Your Network Best?
The idea of vulnerability hunting is based on a hard truth that the NSA Cybersecurity Director Rob Joyce tweeted nearly two years ago,“Attackers spend time knowing the network and the devices better than the defenders. That’s how they win.”
This means that attackers know most, if not all, of the vulnerabilities in a network. These include vulnerabilities in the operating systems, the applications they run and the user accounts they support. Exposures also exist in the presence and state of the security controls designed to protect these systems.
The ideal state is when any server or endpoint matches a golden image—particularly from a cybersecurity perspective. For example, is an EDR such as CrowdStike installed for endpoint protection, Automox for patch management, and is the device in Microsoft Active Directory? It’s also understanding “state presence”—knowing those tools communicate with management consoles and are up to date. For example, Automox may be installed but running with an outdated agent or hasn’t communicated with a management console in several weeks; you’ve discovered a vulnerability that exposes unpatched devices. This is what attackers take the time to learn and why the need for modern cyber asset intelligence is critical.
You also need to consider identities, i.e., your users. It’s important to know that Jane’s laptop has security controls installed. Still, suppose your asset intelligence says that another account exists on Jane’s laptop, associated with the user Bob, and this account is showing up on 250 other devices. That’s an anomaly if Bob isn’t part of an administrative group or associated with an application. If you don’t know who Bob is and why he’s accessing 250 machines, it’s probably an attacker trying to maintain persistence by spreading to as many endpoints as possible.
Enter Vulnerability Hunting
Experienced security practitioners reading this article may think, “Isn’t this just a classic vulnerability assessment?” It goes beyond the early days of vulnerability assessment, where IT would run a scan to see what open ports exist within organizations and what vulnerabilities are on the system that attackers might exploit. This is vital information to have, without a doubt, and vulnerability hunting does not negate the need for vulnerability assessment.
The information from vulnerability assessments is enriched with the intelligence derived from vulnerability hunting; you will identify more assets, perhaps unmanaged or undermanaged, that can be evaluated with a vulnerability assessment and know the presence and state of security controls on those devices. This amplifies vulnerability assessments while providing a new level of detail across devices, applications and identities.
Here’s how it works. Let’s say your organization has 50,000 devices. Asset intelligence platforms should have updated metrics in real time for on-premise, remote and cloud-based assets. The asset intelligence platform will identify gaps in security controls and issues related to applications and identities. Findings can be automatically prioritized based on asset types, geographies, users, groups, regulatory mandates, etc. Through automation, alerts can be generated, updates to solutions the asset intelligence platform is integrated with, such as SIEMs, SOARs, CMDBs, ticketing systems, etc., and remediation actions can be taken, such as isolating a problem asset, deactivating a user account or pushing an update.
The best way to think about vulnerability hunting is like pieces of a puzzle. The more details you have, the better the picture. Beyond the combination of vulnerability hunting and assessments, you could use external threat and exploit intelligence feeds to inform you about adversaries who have created exploits specifically for end-of-life Windows 2008 devices, for example, which you didn’t think you had in production. Still, your asset intelligence platform identified 20 of them throughout your environment. Furthermore, you could correlate data from your governance, risk, and compliance (GRC) system to realize you have applications running on those devices tagged as sensitive because they handle PCI data. This helps you prioritize action on those devices.
The ROI Of Vulnerability Hunting
Coming back to the myth that threat hunting is proactive, another way to think about it is getting to the “left of boom,” i.e., taking the necessary actions to prevent attackers from compromising networks in the first place. Threat hunting occurs after the “boom” appears and the damage is done. A common outcome of threat hunting is finding out that an attacker has been in a network for months or years. The work required to remove an attacker entrenched for two years only adds to the financial costs.
Compared to threat hunting, vulnerability hunting requires fewer resources and less time to keep attackers out of your network. It also decreases “dwell time”—or the length of time attackers are in your network – because you’re stopping the event before it happens.
Beyond the cost savings, there can be an exceptional return on investment in vulnerability hunting. Organizations that have purchased licenses for tools like CrowdStrike or Automox and pay people to maintain them need to know if they’re not installed on critical systems, not communicating properly or not running the latest versions.
That can’t be determined through reactive threat hunting or simple vulnerability assessments, but it can be through asset intelligence-driven vulnerability hunting.