Attack is the Best Form of Defense, Time to go Threat Hunting

Written by

Facing a constant 24x7x365 threat, many organizations have invested in a standard array of network and endpoint security tools designed to block attacks and protect their networks, data and applications.

The problem with traditional security strategies, and why large-scale data breaches continue to dominate the headlines, is that the approach is too reactive. It’s time for organizations to take some initiative with threat hunting and seize control from the attackers by proactively uncovering unknown attacks.

Traditional tools are effective for identifying known threats, but organizations need the knowledge, skills, and up-to-date experience with emerging threats, indicators of compromise, exploit code and having the situational awareness to know the types of attacks that are most relevant to their IT systems.

Waiting nervously behind a weak defensive wall, for an onslaught of more capable and complex networks of attackers, is no longer a viable security posture. That reactive approach, with an over-reliance on technology being programmed to ‘prevent’, will not protect businesses.

Security teams need to be proactive; on the hunt to find potential exploits of vulnerabilities and indicators of compromise, while also searching for suspicious activity and anomalies that may not necessarily be detected by a tool but could be indicative that an attack is taking place

Therefore, threat hunting has evolved into a modern-day sport. Traditional (reactive) cybersecurity defense should be used in conjunction with proactive cyber threat hunting .

Cyber threat hunting isn’t only about finding a malicious needle in a digital haystack. While knowing what is normal and looking for what doesn’t belong (establishing a baseline) is an essential component, threat hunting can discover performance issues, arbitrary (non-malicious) files and/or data stores.

So, how should you kick off cyber threat hunting? To effectively hunt, analysts must think like an attacker. They must not be overly reliant on well-known Indicators of Compromise (IOC) or static alerts from a security device.

A modern proactive security operation combines expertise, technology and process underpinned by threat intelligence; using multiple data sources to proactively analyze, identify and investigate potential attack scenarios such as a compromised server, which traditional security defenses may have already missed.

This enables the security operations team to make informed decisions on the relevant data and use well-versed processes to make sure all threats are detected rapidly and responded to effectively. 

The standard way of approaching this is by establishing the cyber kill chain, which ranges from reconnaissance through to actions. Approaching threat hunting in this way means there is a disciplined framework. 

The first step for cyber threat hunting is determining the relevant data sources. This could include system logs, security event data and host-level information. Companies must then establish whether these data sources effect the entire company, or just business silos.  

There are then two approaches to threat hunting, targeted and generic. For targeted, there is an evaluation of the potential threats and their tactics along the kill chain, enabling analysts to focus on potential data sources which could be targeted.

For generic hunting, analysts should scope individual hunt missions based on the categories of the cyber kill chain. Added to this, businesses must identify the time frame for when to investigate threats, which can range from regular cycles for generic hunting, to broad hunting so long as it’s within a defined scope. 

If indicators or suspicious items are found, analysts should shift their focus across the cyber kill chain to establish more evidence of an attack or carry out the investigation. If activity is caught early enough, it is even possible to hinder interactive attacker activity in progress.

Essentially, an analyst conducting the cyber threat hunt evokes their technical knowledge, skills and abilities to search for anything out of the ordinary. It takes a combination of technical experience and an insatiable curiosity to dig through details, run queries and manually validate a threat or potential threat. 

However, this is a specialist skill within a specialist sphere – there is a difference between an analyst trained to react to an alert from a device, to one who analyses and “hunts” through data to detect anomalies that a sensor may not necessarily identify.

Cyber threat hunting requires a more advanced security skillset that covers expertise in operations and analytics, attacker methodology, incident response and remediation, and intelligence capabilities. 

Finding these skills internally can be challenging, that’s why many businesses find an advantage of working with managed security service provider during this process. Since they have a big customer base, they have access to a diverse data set and associated gleaned intelligence to undertake comparisons which makes it easier to identify suspicious activity based on anomalies.

Striking this balance shows an understanding of the value gained using this proactive approach, because it contributes to the on-going mission to maintain an organization’s overall cybersecurity posture. Take back control and uncover the enemy, before the enemy uncovers everything you own.

What’s hot on Infosecurity Magazine?