Light Dark
August 23, 2017 By Eric Cole 3 min read
Risk Management
Data Protection
Threat Hunting

This is the first installment in a three-part series on threat hunting. Be sure to read Part 2 and Part 3 for more information.

One of the fundamental problems with cybersecurity is that organizations often do not realize when they are compromised. Traditional incident response methods are typically reactive, forcing security teams to wait for a visible sign of an attack. The problem is that many attacks today are stealthy, targeted and data-focused.

Just stop for a moment to ask yourself: How would you know if you were compromised? The typical answer is that you would not detect a compromise until significant damage has already been caused. Security professionals need a more aggressive approach to proactively hunt for threats on their networks.

Listen to the podcast: The Art of Cyber Threat Hunting

What Is Threat Hunting?

Threat hunting is the act of tracking and eliminating cyber adversaries from your network as early as possible. A key tenant of cybersecurity is that prevention is ideal, but detection is a must. In a digital climate that is changing at an incredibly rapid pace, it is unrealistic to believe that your organization will never be compromised. It is impossible to eliminate every threat to your organization, so you must be able to perform early detection and remediation.

Threat hunting offers many benefits, including:

  • Reduction in breaches and breach attempts;
  • A smaller attack surface with fewer attack vectors;
  • Increase in the speed and accuracy of a response; and
  • Measurable improvements in the security of your environment.

Once you understand and accept that you will be or already have been targeted and possibly compromised, you will be able to address security through a more realistic lens.

The next step is outlining what actions you need to take to quickly and proactively defend against malicious activity. This is where threat hunting comes into play. Threat hunting typically involves five steps:

  1. Planning: Identify critical assets.
  2. Detection: Search for known and unknown threats.
  3. Responding: Manage and contain attacks.
  4. Measuring: Gauge the impact of the attack and the success of your security.
  5. Preventing: Be proactive and stay prepared for the next threat.

This process allows you to gain further visibility into your network. The identification of hidden connections, covert channels and many other nefarious network activities provides for a much stronger security posture. Without this visibility into your network, you are essentially wearing a blindfold on a battlefield.

Focusing Your Threat Hunting Program

Today’s cyberthreats are constantly increasing in complexity, specificity and impact. These threats are as advanced as they are persistent. While some organizations do perform some type of threat hunting, the areas of focus and the resources being allocated are often misplaced.

Related: Keep Intruders Out of Your Network With Proactive Threat Hunting

Furthermore, these threat hunting programs are often informal and not repeatable. This means that organizations are still acting reactively to threats. The informality of the threat hunting programs also means that there are no metrics being created to document the success or failure of initiatives, so organizations are creating new processes for each threat they face.

When building a threat hunting program, security leaders should focus on four metrics:

  1. Length of connections;
  2. Amount of data being transferred;
  3. Failed and successful access attempts; and
  4. Number of dropped packets at the firewall.

Attacks that have made recent news were able to breach organizations that were not taking a proactive approach to security. WannaCry, for example, exploited a Windows vulnerability that had been identified over a decade ago. Because the victim organizations had not performed aggressive threat hunting, an erroneous service served as the perfect vector for the attackers. Meanwhile, the EternalRocks malware took advantage of the exact same vulnerability, meaning that many organizations failed to act even after the WannaCry attack.

Modern Attacks Require Enhanced Visibility

Traditional methods of defense revolve around reactive security — waiting for visible signs of a breach and taking appropriate actions in response. Modern attacks are much more advanced and sophisticated. These types of attacks rarely show signs and often go undetected for months or years. Proper threat hunting offers sufficient network visibility to help security professionals detect malicious activity and respond accordingly.

Listen to the podcast: The Art of Cyber Threat Hunting

 |  |  |  |  | 
Eric Cole

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature