Threat Hunting: Root out the Bad Guys Before it’s Too Late

Written by

With cybercrime high on the agenda for many, IT professionals have spent too much time and energy discussing the causes, methods and impact of data breaches. Yet the length of time it takes to actually detect compromise should have us all up in arms.

According to our recent research, 28% of CIOs claim they are ‘not concerned’ about the length of time it takes to discover a breach, and a further 26% believe it takes less than two weeks to spot a data breach. Yet another study from the Ponemon Institute reports it takes 258 days on average to detect a breach, so the confidence CIOs have in detecting a breach quickly is clearly misaligned with reality.

Furthermore, 85% admit that despite their best intentions (or often whatever fits within the budget), they are failing to take a proactive approach to hunting out threats. It doesn’t add up. Thinking that threats can be discovered within two weeks but “doing more of the same” which results in hundreds of days on average before discovery means we are not doing what is required to protect our information.

The race against time

The 28% of CIOs in the study who say they are ‘unconcerned’ about the length of time it takes to detect a breach are playing with fire. Not only do they need to understand reality, but they also need to embrace that the speed at which you can discover compromise is critical. One of the reasons for this is due to how the criminals operate - the initial point of entry into an organization’s data infrastructure is often just a stepping stone to the ultimate target.

Cybercriminals find weak spots to force entry then sit and wait quietly, getting to know your systems and understand your defences. The longer they have access, the bolder they get as they work their way through the organization until they reach the ‘crown jewels’, such as highly sensitive customer or financial data. This is why it’s vital for organisations to reduce their ‘attack surface’, i.e., the number of attack vectors that the hacker can use to enter the organisation in the first place.

The 2014 eBay data breach is a good example. Attackers compromised the personal data of 145 million eBay users, in many cases stealing email addresses and names. The attackers would not have been able to access such a vast amount of data if they had been detected promptly, but in this case, they were in eBay’s network for 229 days before being identified. When an attack is finally detected, investigators often are only seeing part of the process. So what can companies do to detect threats faster?

Use your team wisely

In the security community there is a common mantra that companies should work from the assumption they already have been breached. Contrast that with the research findings that show so many CIOs are quite open about not actively hunting for threats and you get a less-than-pretty picture. After all, technology cannot find anything, so who is finding what your automated alerting systems are not?

It’s not entirely the fault of CIOs or CISOs. Some are faced with a ‘too many cooks spoil the broth’ situation: they have so many different tools that it gets hard to see the wood for the trees. This can create a false sense of security – they have already invested heavily in a range of security solutions, so how could they be at risk? Yet many have not adapted their security tooling to meet the needs of the modern business.

While the network was once the organizational perimeter and the main target for would-be hackers, today, hackers target the employees and their devices as they are the weakest point of entry.

Another issue is that this wealth of security solutions is drowning teams in alerts and false positives. When everything is a red alert, how do you know what’s really a red alert? Alert fatigue can soon set in and important notifications become lost in a haze; not only that, but CIOs often have to work with limited resources.

We are in the midst of a skills crisis in security, therefore finding professionals who have the expertise to hunt threats is no easy task – to then have these people tied up dealing with non-critical alerts is criminal.

Three steps to speedy threat detection

So how can we shift the needle from reactive to proactive security? The first step is a change in attitude: assume you’ve been breached and try and find out where and how. Taking a threat hunting approach will put you in a much stronger defensive position.

The next step is to free your people’s time so that they can apply themselves to higher-value threat hunting by automating alerts and responses where possible, but also by helping to prioritize threats more effectively. A key part of this is having greater context about threats. Most security teams are living in bubbles: they can only see that there is unusual activity happening, but they cannot see whether this is something that other companies are seeing as well. Having threat intelligence that can determine what threats are real, and which are harmless, can save huge amounts of time and ensure you do not miss the big-ticket items.

Lastly, put the right tools in place to help you find threats faster. Taking a multi-layered approach to security is vital. In particular, having always-on continuous monitoring on each and every endpoint device can act as your ears and eyes on the ground. Matching smart technology with skilled individuals and a realistic understanding of the threat you face will put you in good stead for the future.

What’s hot on Infosecurity Magazine?