Threat Hunting: Changing the Mindset of Security Operations

 Chris Gerritz, CEO and Co-Founder, Infocyte

Chris Gerritz, CEO and Co-Founder, Infocyte

Prevention. Detect and Respond. Defense in Depth. Enterprise security strategies have continued to evolve in response to ever increasing threats. Once upon a time, putting up a firewall and installing antivirus were enough to keep a clean network. Now, security breaches are commonplace—even expected—despite our best efforts to keep hackers out.

We can build our walls higher and higher, but against a persistent adversary, prevention is bound to fail. What then? Traditional security operations use a detect and respond approach: wait for sensors (Intrusion Detection System or antivirus) to alert on an event, then investigate that alert. In a properly instrumented network, these events can be detected hundreds of times a day—far too many to handle with limited staff.

It’s time to change our approach to security and empower the enterprise with proactive strategies to identify and eradicate malware and other persistent threats.

Hackers: already inside

In the current paradigm, we have to assume adversaries and malicious software will get through, or are already inside the network. Daily headlines tell of breaches—many of them going weeks, months, or years before being found. Depending on what industry report you read, the average security breach goes undetected between 170 and 256 days[i].  

This type of persistent access allows attackers to spy on operations, steal sensitive information, corrupt files and cause physical damage. They use your network to attack other targets with impunity, or lie in wait for a political motive to strike. 

Those that are proactive and not willing to wait for a media article or law enforcement official to alert them to a problem have a new option: Threat Hunting. 

Threat Hunting: detect and eradicate

Threat hunting is the proactive search for hidden adversaries and malware within a network. It reduces the dwell time of attackers and removes them before they cause ongoing damage. Threat hunting can be conducted by searching for malicious activity in a central log database (i.e., SIEM) or by directly interrogating endpoint devices. What to look for usually comes from shared or subscription threat intelligence services, or by utilizing a hunt tool designed to look for post-compromise indicators.

Employing threat hunting as part of an organization’s defense-in-depth strategy to catch what prevention technologies miss will mitigate the possible damage that can be caused from prolonged unauthorized access.


Chris Gerritz
CEO and Co-Founder, Infocyte

Chris Gerritz is the CEO + Co-Founder of Infocyte, a provider of agentless hunt technology that eradicates malware and persistent threats. Gerritz, a retired Air Force officer and service-disabled veteran, is a pioneer in defensive cyberspace operations having built the U.S. Air Force’s first interactive Defensive Counter Cyberspace (DCC) practice.

More about Chris


[i] 2015 Cost of Data Breach Study: Global Analysis: http://www-03.ibm.com/security/data-breach/