Can organizations proactively hunt for and deter cyberthreats? Is threat hunting and hunt analysis feasible? Cybersecurity leaders tackled these questions in this issue of our Enterprise Intelligence Brief.
2017: The Year of Threat Hunting Analysis
Cyberthreat intelligence expert Bob Stasio predicted that 2017 will be the year of threat hunting analysis. This year, he forecast, “organizations will proactively search through their networks for threats versus having an alert to indicate a problem.”
Stasio explained that threat hunting is indeed possible with the proper resources.
“Threat hunting is inherently predictive and thus requires the integration of intelligence analysis techniques,” he said. “This will require the classic integration of people, process and technology. Organizations must recruit talent for these hunting roles and pursue technology historically used in the intelligence community.”
At least a small percentage of malicious actors, he added, will be able to break through any automated security measure on the market. Intelligence hunting can fill the unincorporated gap within the cybersecurity spectrum by putting humans in the loop.
“Organizations must start from the top down,” Stasio advised. “Begin by pursuing a leader with experience in the intelligence community to spearhead your hunting effort. This person should have the contacts to expand the team and the understanding to build the threat hunting platform.”
Be Proactive, Not Reactive
SecureMySocial CEO Joseph Steinberg warned that IT managers face an uphill battle to keep up with cybercriminals’ advanced tactics.
“In an effort to circumvent existing security technologies,” he said, “sophisticated, hostile actors are constantly improving their approaches and techniques. As a result, while detection tools remain critically important, proactive (and perpetually iterative) hunting for cyberthreats is necessary.”
Although most companies already hunt for threats, Steinberg said he expects to see organizations install “much more robust forms of proactive hunting” in 2017. Without it, he argued, “one or more of the growing number of advanced attacks may slip by cybersecurity countermeasures and lead to potentially catastrophic situations.”
The bottom line, Steinberg concluded, is that “utilizing a blend of approaches delivers better results than putting all of one’s cybersecurity eggs in one basket.”
Threats Lurking From Within
Scott Schober, president and CEO of Berkeley Varitronics Systems and author of “Hacked Again,” explained that most organizations have already been breached, whether they know it or not.
“Within all corporations exists a high likelihood of hidden threats that have already made way into the organization’s computer networks,” Schober said. “Corporations cannot afford to assume they are 100 percent secure, regardless of the steps they may have taken to mitigate cyberthreats and implement security precautions. Perimeter defense will always be necessary due to new advances in wireless technology, the same technology that hackers continually exploit. Therefore, the most proactive posture is to assume that hidden threats already exist within your computer networks and aim to systematically hunt these down.”
Most threats that have already penetrated a network do not instantly seize the opportunity. Security professionals must exhibit the same patience that cybercriminals apply to the long game of network infiltration. This steadied approach is the only way to detect the right patterns to facilitate the most opportune counterstrike.
Hunt Threats Before They Hunt You
Khalil Sehnaoui, founder and managing partner at Krypton Security, argued that “threat hunting is absolutely feasible and, even more so, definitely recommended.” He said that experts have been proactively pushing organizations to implement threat hunting strategies for years.
“It is important because you cannot rely on just alerts and monitoring to know your network is either safe or under attack,” he said. “Alert systems can only monitor for known threats, and the best defense remains a good offense. Threats come in many a form and the battle is continuously ongoing between defenders and attackers.”
Sehnaoui challenged companies to actively look for threats before the threats find them.
“Just like information security researchers keep looking for new vulnerabilities and exploits, organizations should keep challenging themselves proactively instead of just waiting to react to a problem,” he said. “Often, it is then too late and the harm has been done. Organizations should get started by raising the level of awareness inside the working environment, as the human element is always the greatest threat.”
Risk-Based Threat Analytics
Shahid Shah, cybersecurity and risk management expert, agreed with Stasio on the subject of threat hunting and hunt analysis as a growing initiative.
“We’ve had reactive security, where people respond to breaches after they occur, since the beginning of the computer security era,” he said. “Easy defensive proactive measures that focus on making sure that firewalls and data loss prevention (DLP) tools can stop the obvious breaches before they occur have also been around for a while.”
Hunt analysis, Shah explained, focuses on risk-based user behavior analytics (RbUBA), risk-based user roles analytics (RbURA) and risk-based, attribute-based user analytics (RbABUA), among many other preventative functions tied to specific risks.
“A cybersecurity group that has risk-agnostic defensive proactive measures in place will be considered a ‘table stakes’ organization, but one that focuses on risk-based offensive hunt analysis will be seen as truly innovative, catch more insider threats before they occur and prevent many external breaches from occurring in the first place,” Shah said.
Think Like a Cybercriminal
Michael A. Goedeker, CEO and founder of HAKDEFNET, said he believes threat hunting can benefit both proactive and reactive security strategies.
“Obtaining information about threats and risks is crucial to any successful security team’s training and defense posture because it raises awareness and teaches security professionals to hunt and use the same or similar skills as attackers would,” Goedecker explained. “Being familiar with the attacker’s mindset and way of doing things makes one better at detecting new threats and defending them in a timely manner.”
Start Threat Hunting Today
Cyberthreats are like diseases attacking the core of the world as we know it. Just as we proactively check for ailments and take measures to protect against those to which we are genetically predisposed, governments and corporations alike must take the same approach with cyberthreats.
Has your organization started threat hunting? Learn how you can add threat hunting to your cyberdefense strategy.