avatarAlex Teixeira

Summary

The article discusses the overlapping roles and responsibilities of Threat Hunting and Detection Engineering within a Cyber Security Program.

Abstract

The article explains that Threat Hunting and Detection Engineering are becoming increasingly important in a Cyber Security Program. The author describes the boundaries and overlaps between the two practices and argues that successful hunting leads to good detections. The author suggests that merging both Detection Engineering and Threat Hunting teams into one single practice may be a way forward. The article also discusses the career development path for a Detection Engineer, from Analyst to Engineer to Data Ninja, and the importance of fluency in data query mechanisms.

Opinions

  • The author believes that Threat Hunting has a play on Detection Engineering and that successful hunts have a play on Detection Engineering.
  • The author suggests that the overlap between Threat Hunting and Detection Engineering is a natural step in career development.
  • The author argues that a great detection idea comes from your own incident database and that known incidents will not only help address any log visibility gaps but will also drive good detections when the telemetry is available.
  • The author suggests that humans don't like to be labeled and that merging both Detection Engineering and Threat Hunting teams into one single practice may be a way forward.
  • The author emphasizes the importance of fluency in data query mechanisms for both Threat Hunting and Detection Engineering.

The dotted lines between Threat Hunting and Detection Engineering

There's no way out, the practices of Detection Engineering and Threat Hunting are becoming utterly important within a Cyber Security Program.

How to define boundaries and establish ownership of the processes involved? Where's the overlap? Read along for some insights from the field.

Give me a hunt, I give you a detection

I have been writing about Detection Engineering for some years but never had the need to formally define it as the name implies it all: it's about engineering (cyber threat) detections.

Is someone considered a Detection Engineer only if writing detections for a SIEM? What about other event or log-based platforms (ex.: Spark)? What about Yara, EDR, NIDS, WAF? The concept applies to many technologies.

What's common from all of the above? There's some sort of automated built-in process. There's a rule or analytics engine loaded with some code (process) inspecting data streams (input) and generating events (output).

We give the engine some instructions (logic) and it starts spiting out indicators, alerts, signals or whatever you want to call it — automatically. Does this concept applies to Threat Hunting? Maybe, to some degree.

I believe there's some sort of interactive component to hunting as it does to detection engineering prototyping. The hunter has an idea and starts playing with it. Once successful, a security incident or even a ticket towards Incident Responders or Forensics Analysts might be filed.

Same goes for a detection engineer — when prototyping.

It's fairly common to spot actual incidents when prototyping a SIEM rule, especially when performing historical analysis trying to assess if the new detection is going to generate acceptable alert volume.

When does a hunting lead starts to exist? Is it at the moment a hunter has an idea (hypothesis) and starts digging though logs to validate it? Or is a hunting lead simply a breadcrumb coming in form of an alert?

Yes, it can get a bit blurred with more questions than answer. If you want to read more about the origin of the Hunting term, please check here, it's really worth the read and perhaps that can change your view about it.

But let's exercise that further.

Where does each practice start and end?

Threat Hunting commonly gets input from Threat Intel. So, is it about IOC scanning? Definitely not! Is it about looking for threat actor behaviors? Seems about right. But isn't that a detection motto too?

Try to follow this thought process:

  • Threat Hunting works based on hypothesis? Yes.
  • Can we automate that process once we find a solid one? Yes.
  • So is a hunter also designing detection to a certain degree?
  • Isn't that a valid input for the detection engineering process?

So for me, successful hunts have a play on Detection Engineering. And that's pretty much why I like to sometimes answers those discussions with this provocative meme:

https://twitter.com/ateixei/status/1488280157098061829

Hunting also overlaps with other areas of SecOps such as security analysis and investigation. Here's another exercise:

  • What's the output of an automated, successful hypothesis check?
  • If I follow up on that output, am I a hunter or a security analyst?
  • Is a hunter actually a senior security analyst then?
  • Isn't following up on that automated output about triage and investigation?

Can we call a Threat Hunter a 'Jack of all trades'? 🃏 Well, I am 100% sure many small cyber teams are playing that role for a long time anyways, the hunters are no exception.

Regardless, at some point you really need a process with distinct roles and responsibilities (ownership), otherwise there’s no focus. No clear boundaries and overlaps might introduce inefficiencies and even re-work.

The Path: Analyst > Hunter > Engineer > Data Ninja

Also, we might consider that overlapping as a natural step in career development. How can a Detection Engineer write good detections without any security analysis or hunting experience?

While some hunters will specialize in Digital Forensics or Incident Response (DFIR), many will eventually evolve to Data Engineering related positions. Besides security analysis, Offensive Security, Data Engineering and Statistics (Machine Learning) seem to be a good path forward.

It's all about Data

Whether Threat hunting is about finding threats or intruders, there's one thing we should agree here: it's about data analysis. Nobody is pasting notes on a cork board or using nigh-vision binoculars to hunt.

Someone seats in front of a computer and starts questioning data — as boring as it may sound (I don't think it is at all!).

Having said that, I believe there’s one skill both roles should have in common: fluency in data query mechanisms. For example, if the main platform is a SIEM, mastering the query language is a must.

The dotted lines

If a hunt uncovers an incident, it might as well lead to a good detection.

Assuming a successful hunt leads to a security incident, why wouldn't you be willing to avoid or spot the issue in case it happens again? That's usually done via preventive and detective controls.

I keep repeating this in every project I start: a great detection idea comes from your own incident database. If you are not documenting incidents, how can you learn lessons and track progress to start with?

Now assuming you are tracking incidents, why wouldn't you focus on implementing controls around a threat that already impacted your organization (incident)?

Known incidents will not only help address any log visibility gaps but will also drive good detections when the telemetry is available.

Is "DETH" the answer?

Some organizations are proposing to merge both Detection Engineering (DE) and Threat Hunting (TH) teams as part of one single practice. Is that the way to go? Maybe.

The fact is humans don’t like to be labeled as it somehow seems to limit their abilities to their audience, which is another problem.

As a tech leader, I would ponder what makes more sense within the organization, what solid skills are already in the team and how the prominent members would be able to help you layout processes around it with automation and scalability in mind.

Try to pick one practice and embrace it! Whether you call yourself a Detection Engineer or a Threat Hunter, consider following this blog for more insights on both practices!

The next blog post will be an updated version of the following article:

https://ateixei.medium.com/jira-workflow-for-detection-engineering-teams-a7433f4c2a9f

Siem
Threat Hunting
Detection Engineering
Dfir
Data Engineering
Recommended from ReadMedium
avatarAlex Teixeira
Baselines 101: Building Resilient, Frictionless SIEM Detections

How to leverage Enterprises' Circadian Window to spot unusual activity and potentially uncover cyber threats.

12 min read
avatarEren Cankut Uysal
Advanced Network Traffic Analysis and Intrusion Detection with Zeek and Suricata

This document explores advanced techniques for analyzing network traffic and detecting intrusions by leveraging two powerful open-source…

3 min read
avatarThomas Roccia
Applying LLMs to Threat Intelligence

A Practical Guide with Code Examples

15 min read
avatarGhostploit
Splunk series: Rule Development (Part 3)

Hello, my digital adventurers! In today’s blog, I will show you how to create a rule or alert (in Splunk terms) in Splunk. This is the 3rd…

5 min read
avatarRyan McGeehan
Prioritizing Detection Engineering

Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…

9 min read
avatarAndrew Blooman
Container Security Scanning

Keep your containers vulnerability free and securely configured

9 min read