The increasing complexities surrounding information security has seen more and more businesses investing in threat hunting, the process by which a dedicated team of security experts seeks to detect and asses threats before they cause significant harm to an organization, and to take early steps to mitigate and respond to them.
Threat hunting has become an increasingly important element of cybersecurity strategies, as defensive capabilities have shifted from the more traditional approaches to threat management such as firewalls, to one which is far more proactive and investigative in nature.
As technical lead at the Cisco Talos Security Intelligence and Research Group, Martin Lee researches the latest developments in cybersecurity and delivers expert opinion on emerging threats and related risks. He is Certified Information Systems Security Professional (CISSP) and a Chartered Engineer, Lee has more than 20 years of experience in system development and 15 years within the security industry.
Infosecurity Magazine recently spoke with Lee to get his take on the current threat hunting landscape and the role that threat hunting plays in modern cybersecurity.
How important is threat hunting in modern cybersecurity strategies?
Threat hunting teams are to cybersecurity what the flying squad is to neighborhood policing. That is to say that most organizations would achieve the best improvements in their security posture by fixing simple security weaknesses. However, once a certain level of maturity in security is reached, there is no substitute for having a threat hunting team dedicated to spotting the traces left by even the most sophisticated attackers. Threat hunting, coupled with an effective incident response team, gives organizations the ability to swiftly identify and respond to incidents before harm is incurred.
What are the best practices for cybercrime hunting?
Hunters need to have an inexhaustible sense of curiosity to constantly want to find out what is ‘different’ or ‘odd’ within a system and to find out why this is happening.
The simplest form of hunting is to read reports and case studies of threats that have been identified, and to look for published indicators of compromise. A better approach is to think ‘what might something similar look like in my environment?’ and to look for other traces that might be left in your logs.
Best practice involves automation, combining the ability of machines to analyze large amounts of data with the human ability to understand the wider picture and investigate suspicious activity. Algorithms can continuously search vast amounts of data in order to spot significant activity to which an analyst can respond. Human intuition and understanding remains the best tool to investigate suspicious activity in detail.
What systems and resources are required for effective threat hunting?
Threat hunters need a rich hunting ground of data from various resources comprising the system and network logs which describe what is happening in an environment. They also need the tools to be able to ask questions of the data, both to look for specific items that are known to be malicious, and to analyze the data statistically to spot outliers which may be an indication of something unusual happening.
What are the key challenges that need to overcome to master threat hunting and response?
A key point which is often overlooked is the psychological side of hunting. Hunting is difficult, and often results in nothing being found. This can leave hunters feeling despondent. Maintaining the sense of curiosity and the thrill of discovery within the team is important to keep focus, and to keep threat hunters hunting. Ultimately, nothing beats the feeling of uncovering bad guys in the middle of an attack, and denying them the opportunity to cause harm.