Know Your Enemy: The Art and Science of Cyberthreat Hunting

From Rome to Mexico City, as my IBM Security colleagues and I have traveled the world teaching cyberthreat hunting, we’ve found a multitude of differing opinions about who is and isn’t a target for cyberattacks.

One attendee at a recent workshop even stated: “My bank isn’t a target for a cyberattack because our country isn’t seen as a major globalized economy.”

The reality, however, is that your organization is always a target. Whether you’re a target of choice or a target of opportunity, it’s not a matter of if you’ll be attacked, but when. There’s even a possibility that attackers are already dwelling within your network and have been for some time.

For example, in 2018, 18 million new malware samples were captured and more than 4,000 ransomware attacks occurred, according to the 2018 Threat Hunting Report. And yet, 52 percent of organizations that suffered a successful cyber-attack in 2017 didn’t make any meaningful structural changes to their security posture in 2018. Some of the reasons companies aren’t investing to protect their most valuable assets include:

  • Lack of education, training and understanding of the rapidly changing network of bad actors and security landscape
  • Overwhelmed by the volume of options and often confusing solutions in the market
  • Unable to transition from a reactive information-driven operations model to more proactive actionable-intelligence
  • Inability to understand actual business risk and costs associated with protection
  • Lack of qualified staff to adequately transform information into intelligence to secure the enterprise
  • False sense of security with their current state
  • Small percentage of advanced threats can have dramatic, negative revenue and brand impact
  • Unable to “connect the dots” across diverse data sets
  • Security market fragmentation and confusion

The sheer number of attacks, changing methods, number of growing community of actors, open market of malicious code, and the lack of internal resources make securing your business assets a challenge. So how does the SOC modernize while dealing with all of these compounding factors of not enough time, money or resources?

Watch the on-demand webinar: Know Your Enemy — Proactive Cyber Threat Intelligence and Threat Hunting

Make the First Move With a Strong Cyberthreat Hunting Team

One of the best ways to get out ahead of malicious actors is with cyberthreat hunting, the act of proactively and aggressively eliminating adversaries as early as possible in the Cyber Kill Chain. The quicker you can locate and track your adversaries’ tactics, techniques and procedures (TTPs), the less impact attackers will have on your business.

Know Your Enemy

So what types of skills does a cyberthreat hunting team require?

Security operations center (SOC) analysts define cyberthreat hunting as reactive indicators of compromise (IoCs) that lead to an investigation of an incident. IoCs are typically generated by internal security systems such as security information and event management (SIEM), incident response, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and endpoint management tools.

Military and law enforcement intelligence analysts, however, define cyberthreat hunting as the process of proactively identifying, intercepting, tracking, investigating and eliminating IoCs before they impact national security, critical infrastructure and/or citizens.

The truth is they’re both right. There’s a tectonic shift occurring in the cybersecurity community with the convergence and blurring of lines between SOC and intelligence analysts. The challenge is that SOC analysts are not formally trained in intelligence life cycle analysis, and intelligence analysts are not formally trained in incident analysis and response.

The knowledge gap between these two skill sets is quite significant and has to be closed and integrated to build a fully functioning and productive cyberthreat hunting team. It’s also critical for SOCs to grasp the common denominator in both internal (reactive) and external (proactive) cyberthreats: the human element.

Put Methodology Before Technology to Close the Skills Gap

Security teams should take proactive steps to close the skills gap and mature their SOC. First, start with the basic definition of cyberthreat hunting provided above. Next, develop an understanding of the intelligence life cycle tradecraft and apply it to both security and intelligence operations. Finally, create a priority intelligence requirements (PIR) matrix that asks the logical questions of who, what, where, when, why and how regarding the analysis of global, industry-specific, geographic and cyberthreats applicable to your business.

SOC Maturity Chart

There’s no magic button or technology that will solve all of your security challenges. Through the integrated elements of people, processes, data and technology applied to the “know your enemy” intelligence methodology, you can fully gain insight into how cybercriminals are seeking to target your organization. Putting methodology before technology will serve you well in defining your adversaries’ TTPs and the methods they might use to target your organization.

In a world where the enemy potentially has access to infinite time, money and resources, it’s absolutely critical for the cybersecurity industry to close the knowledge and skills gaps, truly understand the art and science of cyberthreat hunting, and apply that understanding to proactively stop threats before they become a problem.

Download the full report, “What Is Behind the Rise in Threat Hunting?”

Contributor'photo

Sidney Pearl

WW i2 / Safer Planet Cyber SME

Sid is a veteran of the Cyber Security industry with specialized focus in Cyber Threat Hunting, Intelligence and...