Can organizations proactively hunt for and deter cyberthreats? Is threat hunting and hunt analysis feasible? Cybersecurity leaders tackled these questions in this issue of our Enterprise Intelligence Brief.

2017: The Year of Threat Hunting Analysis

Cyberthreat intelligence expert Bob Stasio predicted that 2017 will be the year of threat hunting analysis. This year, he forecast, “organizations will proactively search through their networks for threats versus having an alert to indicate a problem.”

Stasio explained that threat hunting is indeed possible with the proper resources.

“Threat hunting is inherently predictive and thus requires the integration of intelligence analysis techniques,” he said. “This will require the classic integration of people, process and technology. Organizations must recruit talent for these hunting roles and pursue technology historically used in the intelligence community.”

At least a small percentage of malicious actors, he added, will be able to break through any automated security measure on the market. Intelligence hunting can fill the unincorporated gap within the cybersecurity spectrum by putting humans in the loop.

Watch the on-demand webinar: Why You Need to be Hunting Cyber Threats

“Organizations must start from the top down,” Stasio advised. “Begin by pursuing a leader with experience in the intelligence community to spearhead your hunting effort. This person should have the contacts to expand the team and the understanding to build the threat hunting platform.”

Be Proactive, Not Reactive

SecureMySocial CEO Joseph Steinberg warned that IT managers face an uphill battle to keep up with cybercriminals’ advanced tactics.

“In an effort to circumvent existing security technologies,” he said, “sophisticated, hostile actors are constantly improving their approaches and techniques. As a result, while detection tools remain critically important, proactive (and perpetually iterative) hunting for cyberthreats is necessary.”

Although most companies already hunt for threats, Steinberg said he expects to see organizations install “much more robust forms of proactive hunting” in 2017. Without it, he argued, “one or more of the growing number of advanced attacks may slip by cybersecurity countermeasures and lead to potentially catastrophic situations.”

The bottom line, Steinberg concluded, is that “utilizing a blend of approaches delivers better results than putting all of one’s cybersecurity eggs in one basket.”

Threats Lurking From Within

Scott Schober, president and CEO of Berkeley Varitronics Systems and author of “Hacked Again,” explained that most organizations have already been breached, whether they know it or not.

“Within all corporations exists a high likelihood of hidden threats that have already made way into the organization’s computer networks,” Schober said. “Corporations cannot afford to assume they are 100 percent secure, regardless of the steps they may have taken to mitigate cyberthreats and implement security precautions. Perimeter defense will always be necessary due to new advances in wireless technology, the same technology that hackers continually exploit. Therefore, the most proactive posture is to assume that hidden threats already exist within your computer networks and aim to systematically hunt these down.”

Most threats that have already penetrated a network do not instantly seize the opportunity. Security professionals must exhibit the same patience that cybercriminals apply to the long game of network infiltration. This steadied approach is the only way to detect the right patterns to facilitate the most opportune counterstrike.

Hunt Threats Before They Hunt You

Khalil Sehnaoui, founder and managing partner at Krypton Security, argued that “threat hunting is absolutely feasible and, even more so, definitely recommended.” He said that experts have been proactively pushing organizations to implement threat hunting strategies for years.

“It is important because you cannot rely on just alerts and monitoring to know your network is either safe or under attack,” he said. “Alert systems can only monitor for known threats, and the best defense remains a good offense. Threats come in many a form and the battle is continuously ongoing between defenders and attackers.”

Sehnaoui challenged companies to actively look for threats before the threats find them.

“Just like information security researchers keep looking for new vulnerabilities and exploits, organizations should keep challenging themselves proactively instead of just waiting to react to a problem,” he said. “Often, it is then too late and the harm has been done. Organizations should get started by raising the level of awareness inside the working environment, as the human element is always the greatest threat.”

Download the IBM paper on enterprise intelligence

Risk-Based Threat Analytics

Shahid Shah, cybersecurity and risk management expert, agreed with Stasio on the subject of threat hunting and hunt analysis as a growing initiative.

“We’ve had reactive security, where people respond to breaches after they occur, since the beginning of the computer security era,” he said. “Easy defensive proactive measures that focus on making sure that firewalls and data loss prevention (DLP) tools can stop the obvious breaches before they occur have also been around for a while.”

Hunt analysis, Shah explained, focuses on risk-based user behavior analytics (RbUBA), risk-based user roles analytics (RbURA) and risk-based, attribute-based user analytics (RbABUA), among many other preventative functions tied to specific risks.

“A cybersecurity group that has risk-agnostic defensive proactive measures in place will be considered a ‘table stakes’ organization, but one that focuses on risk-based offensive hunt analysis will be seen as truly innovative, catch more insider threats before they occur and prevent many external breaches from occurring in the first place,” Shah said.

Think Like a Cybercriminal

Michael A. Goedeker, CEO and founder of HAKDEFNET, said he believes threat hunting can benefit both proactive and reactive security strategies.

“Obtaining information about threats and risks is crucial to any successful security team’s training and defense posture because it raises awareness and teaches security professionals to hunt and use the same or similar skills as attackers would,” Goedecker explained. “Being familiar with the attacker’s mindset and way of doing things makes one better at detecting new threats and defending them in a timely manner.”

Start Threat Hunting Today

Cyberthreats are like diseases attacking the core of the world as we know it. Just as we proactively check for ailments and take measures to protect against those to which we are genetically predisposed, governments and corporations alike must take the same approach with cyberthreats.

Has your organization started threat hunting? Learn how you can add threat hunting to your cyberdefense strategy.

Watch the on-demand webinar: Why You Need to be Hunting Cyber Threats

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today