This past Monday, Alert Logic’s Tom Gorup (VP of Security Operations) and I led an #MDRMonday Twitter chat to talk about the role of threat hunting in the delivery of managed detection and response (MDR) services. As it stands, the MDR Manifesto stresses the importance of threat intelligence, but threat hunting is not called out as a unique requirement of MDR.
After a suggestion by one of the industry’s most trusted analysts, we decided to open this up to the MDR community on Twitter. So far, we’ve only received a few responses, mainly emails and direct messages, and we’d like to get some more. Share your thoughts using #MDRmonday on Twitter, or join the MDR Manifesto LinkedIn group to discuss directly with industry experts and peers.
The Role of Threat Hunting in MDR
Threat hunting has two functions in the delivery of managed detection and response, and both are as a source of intelligence. There is research-based threat hunting, where experts and analysts look for new attack methods and exploitable vulnerabilities in the wild. When new attack vectors or weaknesses are identified that information feeds the detection and response analytics for areas of MDR like vulnerability scanning, behavioral anomaly detection, and the prioritization of remediation.
This might be considered an element of Tenet #3 (Keeping the threat intel shiny and new). There is also active threat hunting, where analysts review logs, network traffic, and systems, in order to find evidence that an attack is in progress or has already breached the system. This, though, could also be considered a part of Tenet #4—being an important reason to keep humans in the loop.
So, is there something special about threat hunting that means it is more than a part of another tenet, and that creates a need for content and clarification about its role in MDR? After all, the MDR Manifesto and tenets were created to provide clarity. Can an organization provide quality MDR if they aren’t performing their own threat research and if they don’t actively look for threats and attacks in progress?
Leaning towards Tenet #8
Our discussion is leading me to think that yes, threat hunting is required.
My inclination isn’t driven from the need for unique threat intelligence or innovative attack identification, although both are great differentiators for an MDR provider. My current and newfound bias to recommending the addition of an 8th tenet is derived from the side benefits of investing in both kinds of threat hunting.
Institutional Knowledge and Attitude
An organization that staffs and equips a threat hunting capability is institutionalizing a set of skills that are required for all three components of MDR, the management, the detection, and the response. Threat hunting starts by understanding how to identify assets that could be targeted and how to classify them by the services they are running, their exposure to other networks, and their connectedness. It then progresses to looking for divergencies from an expected norm. A threat hunter looks for artifacts on systems and in logs that are left by known attack techniques. She looks for failed login attempts or large dataset exfiltration, and she recognizes the signs that something unusual and unauthorized is going on. Once the hunter starts pulling on the thread that she’s found, she doesn’t stop until the entire attack profile is discovered. There forms a list of all the systems, accounts, or services that have been affected, and there is a detailed record of the changes or damage that’s been left. This is the same information that will be required when it’s time to respond.
This is one point for Tenet #8: An organization that performs threat hunting understands the information that’s required to better manage threats, to efficiently detect attacks, and to respond effectively when they are found.
There is a second point.
Threat Hunting as a Competence Proxy
MDR, as a comprehensive security service, is still pretty new. Potential buyers of MDR are unlikely to be as knowledgeable in the outcomes and contributing methodologies as the vendors that are approaching them. Threat hunting—especially if it is done for both intelligence gathering and threat investigation—is only possible when the organization has the mindset and the skills to do the same kind of security work that underpins good MDR.
As a result, a novice buyer can use the presence of threat hunting as a litmus test for a skilled provider.
Tenet #8 or Not?
I think we need a third validation before we add a tenet, and that’s consensus. It might be that people are comfortable with MDR providers using third party threat intel feeds and relying on tools and packaged analytics to do all the local hunting. If so, then it wouldn’t become a tenet. The threat hunting capability would, instead, differentiate the quality of MDR service among providers. That’s useful, too, but not as prescriptive.
I think we’re pretty close to a decision, but we want more of your insights to help us with the decision. If you have an opinion—particularly a contrary opinion—let us know. Weigh in on Twitter through the #MDRMonday hashtag, join the #MDRManifesto group on LinkedIn, or drop us a line.
Threat hunting is obviously important to MDR, but can you have MDR without it? We’ll see.