Continuous Threat Hunting vs. Campaign-based Threat Hunting
Continuous Threat Hunting allows early detection of threats and is more complete than Campaign-based Threat Hunting
The classic Threat Detection model has traditionally been considered reactive, understanding this reactivity from the perspective of investigations carried out after the generation of a previous alert.
Until recently, technology was unable to gather enough reliable information (telemetry) to detect malicious patterns that escape traditional detection systems. However, with sufficient technological maturity, Threat Hunting is emerging as a new service to search for these threats proactively.
What is and what is not Threat Hunting?
The fact that there is no univocal consensus on what is and what is not Threat Hunting is particularly revealing. The following examples are examples that can commonly generate some confusion:
- Responding to a detected threat to identify the scope of a compromise and develop containment or remediation strategies, is it Threat Hunting or Incident Response?
- Investigating an alert from a security tool to determine if it is a false positive or malicious activity, is it Threat Hunting or Threat Detection?
- Collect information about actors and their TTPs and infrastructure, is it Threat Hunting or Threat Intelligence?
- Adding a list of IOCs, such as IPs, hashes, domains or URLs to a security tool and waiting for matches, is it Threat Hunting or SOC activities?
What most of us do agree on is that Threat Hunting includes at least the following:
- Proactive Threat Hunting in which adversary traces are discovered that have not generated an alert.
- Confirming malicious activity by analyzing telemetry available in the context of a specific organization.
- Usually complemented by threat containment capabilities, thus reducing its impact.
- Less common, but equally positive, is the issuance of recovery recommendations (which would not be executed in the context of a Threat Hunting service).
Under this definition, a Threat Hunting service is perfectly synergistic and complementary to other Threat Intelligence initiatives, Threat Detection (generally offered by SOCs or EDR vendors) or as a key piece within an Incident Response process.
Comparison between Continuous Threat Hunting and Campaign-based Threat Hunting
Everything would be fantastic if there were a consensus on the above, but even among those who advocate what we have just pointed out, there are different models of Threat Hunting. At present, we find different hegemonic models of Threat Hunting, each of which contemplates its own priorities and yields different results regarding the capacity for early detection of any malicious activity. The fundamental pillar of a Threat Hunting model is the proactive search for threats by establishing Compromise Hypotheses.
The most common models include the following:
- Continuous Threat Hunting.
- Campaign-based Threat Hunting.
The Continuous Threat Hunting model provides greater coverage and better response times. It is based on three fundamental points: frequency, scope and adaptability.
Next, the Continuous Threat Hunting model is compared with the other most popular model, the one known as Campaign-based Threat Hunting.
Frequency
The Continuous Threat Hunting model is based on the premise that the asset pool we protect is always compromised. This forces us to maintain a proactive position that requires the establishment of Compromise Hypotheses and telemetry searches to confirm or rule out these hypotheses. Maintaining such telemetry searches continuously over time significantly reduces the time to detect threats whose presence has not generated any alerts.
This model contrasts with the Campaign-based Threat Hunting approach, where coverage is limited to the campaign period and the TTPs that the campaign contemplates. This model yields blind spots in detection and wide periods in which an adversary could go undetected.
Data management and telemetry are other critical points dependent on the Threat Hunting model. In a Continuous Threat Hunting model, short-term withholds of data by EDRs will not pose a problem for a full retrospective analysis. By searching continuously, malicious actions will always be reflected in the available telemetry, no matter how short the telemetry retention period. On the contrary, a Campaign-based Threat Hunting model will run the risk of not searching for a given TTP because the telemetry has already rotated, thus preventing its detection.
Reach
Another strength of the Continuous Threat Hunting model is the completeness of the threat search. While campaign-based Threat Hunting focuses only on the specific TTPs associated with the current campaign, the Continuous Threat Hunting model covers all TTPs known to the service. This ensures that all TTPs are analyzed continuously, not just those covered by a given campaign.
Adaptability
In addition to its greater coverage, the Continuous Threat Hunting model offers an advantage in adaptability and responsiveness. By maintaining constant vigilance, security teams can identify and address new tactics and techniques adversaries use, even before they become a widespread threat.
The Threat Hunter can analyze and include a new threat from day zero when detected in the Continuous Threat Hunting model without waiting for it to become part of a campaign. Therefore, based on the definition of Proactive Threat Hunting, the Continuous Threat Hunting model offers better coverage and shorter detection times and takes on new emerging threats that do not yet qualify for inclusion in a campaign earlier.
Conclusion
A Continuous Threat Hunting model such as the one provided by Tarlogic’s BlackArrow division is demonstrably more complete than a Campaign-based Threat Hunting model, as it provides:
- Greater coverage of TTPs.
- Earlier threat detection.
- Greater agility in testing new TTPs.
A Campaign-based Threat Hunting model introduces a series of risks that, from our point of view, should not be acceptable. For example, the risk of not looking for a given TTP promptly, even once the available telemetry has rotated, would make it impossible to detect it.