The goal of threat hunting is to convert operational challenges into strengths. It is a force-multiplier, occupying the space between threat intelligence, security operations, and incident response. A common saying in incident response is: "it's not a matter of IF your network will be compromised, it's a matter of WHEN." Threat hunting takes a different perspective--assume a threat already occurred and was not detected. By proactively identifying compromises and discovering malicious activity not detected by automated tools, organizations can mitigate threats and use the insights to improve their security posture.
What is Threat Hunting?
Discover threats lurking in your environment
Definition
Secureworks definition of threat hunting
Threat hunting applies human creativity and environmental context to overcome deficiencies in detection capabilities. It focuses on the assets that the organization needs to protect the most. Threat hunting is not penetration testing, security monitoring, or incident response, but it can include aspects of those activities.
Why is it important?
Many organizations struggle to overcome the same problems:
- It is difficult to identify and protect assets, applications, and data spread across on-premises and cloud-based environments.
- Relying solely on indicators from open-source intelligence can prevent network defenders from noticing other malicious activity in their networks.
- Focusing on reacting to alerts and individual incidents could cause network defenders to ignore root causes and miss an opportunity to prevent future threats.
- Threat actors continually evolve to evade security controls and detection.
How can Secureworks help?
Secureworks offers annual managed and point-in-time threat hunting services that help organizations who are just getting started or need a long-term partner. After collaborating with customers to understand their environment, we focus on identifying unknown and novel compromise activity so customers can concentrate on fortifying their environments and responding to known incidents.
World Class Research Team
Our world-class Secureworks Counter Threat Unit™ (CTU™) research team consumes data from more than 4,000 monitored customer environments and nearly 1,400 incident response engagements per year, in addition to bringing in open-source intelligence research, industry and government partnerships, and Secureworks Adversary Group services. Using this information, CTU researchers define and refine detection logic, then analyze alerts to identify false positives. Limiting escalations to likely and/or confirmed true positives minimizes the amount of 'noise' the customer needs to review. We map threat hunting activities to industry-standard threat models, such as the MITRE ATT&CK framework, and stay up-to-date with emerging standards.
Machine + Human Intelligence
Human interaction is a key component of threat hunting, but humans do not have the time or computational capacity to process data from the ever-growing number of information sources. We run data through our Secureworks Taegis™ security analytics platform, which identifies abnormalities, irregularities, and similarities to known threat activity. We then apply human intervention to bridge the gap between detection logic for all customers, as well as detection logic for a specific organization.
Read What Our Experts Are Saying
Business Imperatives
Research & Intelligence
Research & Intelligence
Research & Intelligence
Point-In-Time Threat Hunting Services
Threat Hunting Assessment
This 30-day comprehensive and intensive evaluation of a customer's environment reveals unknown compromises and cyber threats that can evade security controls. Combining human intelligence with our proprietary technology and security analytics enables us to identify historical and active compromises and recommend actionable prevention and detection capabilities, while also improving incident response outcomes.
Threat Hunting: Virtual Workshop
Secureworks offers managed and individual threat hunting services that help organizations who are just getting started or need a long-term partner. After collaborating with customers to understand their environment, we focus on identifying unknown and novel compromise activity so customers can concentrate on fortifying their environments and responding to known incidents.