Threat hunting for MSPs

Threat actors lurk in all corners of the internet and even on your network, lying in wait to strike. Sophisticated attackers often have no need to deploy malware in the early stages of an attack as they can use tools such as operating system components, misconfigurations or installed software to achieve their aims.

Even advanced threat detection – which tends to identify attacks after they have already begun – may not be enough to keep organisations protected. To build a more robust defence, they need a more proactive approach. With threat hunting, the goal is to anticipate and prevent attacks by analysing networks, endpoints and data to identify suspicious activity that might be missed.

While technology-based solutions are still important, threat hunting also requires a human-centric approach to be effective. This enables organisations to move faster than the speed of the threat, shutting down attacks, often before they start. But it can be challenging to implement a threat-hunting programme.  

According to a recent Pulse survey, more than half of IT organisations pointed to budgetary constraints and lack of cyber security expertise as two of the main roadblocks to a successful threat-hunting initiative. As a result, organisations are looking to managed service providers (MSPs) to take on their threat-hunting responsibilities.

For MSPs, this is a real opportunity. Threat hunting enables them to add value to their customers’ security postures, including:

• Timely threat response: A human-driven approach augments any existing tech-based controls before a breach even takes place.
• Reduced investigation time: Threat hunting not only intercepts threats that may otherwise go undetected for days, weeks, sometimes even months, but it minimises the dwell time and is crucial to reliably disrupting breaches.
• Better insights for security teams: A well-thought-out threat-hunting programme arms security teams with high-level insights to assist in culling pertinent data needed to establish best practices and disrupt future threats.
• Improved efforts to minimise the attack surface and boost automated detection: Threat hunting can detect new patterns, which in turn helps organisations improve their detection capabilities, leaving threats with nowhere to hide.

To adopt threat hunting properly, there must be a shift in mindset around security, moving beyond prevention and incident response to a proactive, continuous response model, starting with an assumption that organisations have been compromised and need constant monitoring and remediation.

Visibility is the backbone of any effective threat-hunting programme. At any given moment, users and endpoints are producing valuable telemetry information about what is going on across the organisation. Even though the vast majority of that telemetry is about legitimate activity, advanced technologies such as machine learning and behavioural analytics can reveal abnormal behaviours that could be signals of suspicious activity, triggering a security alert. This process is based on automated analytics and requires specific technologies, processes and resources to be performed correctly.

Threat hunting runs in tandem with this workflow. The core function is to use queries to the data lake and specific tooling to obtain insights from the telemetry to automate new deterministic analytics. Threat hunting can also comprise the combined activity of applying these new analytics to the telemetry and putting into context weak signals to streamline and simplify the identification of actual attacks.

By adding threat hunting to their arsenals, MSPs can offer customers better protection and more reliable threat detection before any damage can be done, while shoring up defences against any future attacks.

Once considered a “nice-to-have” capability, threat hunting is increasingly a must-have for all organisations across all industries. With the speed at which threats are spreading, hunting is no longer something organisations can add to their wish list – it must be viewed as a required capability to keep users and data safe and secure.