From Rome to Mexico City, as my IBM Security colleagues and I have traveled the world teaching cyberthreat hunting, we’ve found a multitude of differing opinions about who is and isn’t a target for cyberattacks.

One attendee at a recent workshop even stated: “My bank isn’t a target for a cyberattack because our country isn’t seen as a major globalized economy.”

The reality, however, is that your organization is always a target. Whether you’re a target of choice or a target of opportunity, it’s not a matter of if you’ll be attacked, but when. There’s even a possibility that attackers are already dwelling within your network and have been for some time.

For example, in 2018, 18 million new malware samples were captured and more than 4,000 ransomware attacks occurred, according to the 2018 Threat Hunting Report. And yet, 52 percent of organizations that suffered a successful cyber-attack in 2017 didn’t make any meaningful structural changes to their security posture in 2018. Some of the reasons companies aren’t investing to protect their most valuable assets include:

  • Lack of education, training and understanding of the rapidly changing network of bad actors and security landscape
  • Overwhelmed by the volume of options and often confusing solutions in the market
  • Unable to transition from a reactive information-driven operations model to more proactive actionable-intelligence
  • Inability to understand actual business risk and costs associated with protection
  • Lack of qualified staff to adequately transform information into intelligence to secure the enterprise
  • False sense of security with their current state
  • Small percentage of advanced threats can have dramatic, negative revenue and brand impact
  • Unable to “connect the dots” across diverse data sets
  • Security market fragmentation and confusion

The sheer number of attacks, changing methods, number of growing community of actors, open market of malicious code, and the lack of internal resources make securing your business assets a challenge. So how does the SOC modernize while dealing with all of these compounding factors of not enough time, money or resources?

Watch the on-demand webinar: Know Your Enemy — Proactive Cyber Threat Intelligence and Threat Hunting

Make the First Move With a Strong Cyberthreat Hunting Team

One of the best ways to get out ahead of malicious actors is with cyberthreat hunting, the act of proactively and aggressively eliminating adversaries as early as possible in the Cyber Kill Chain. The quicker you can locate and track your adversaries’ tactics, techniques and procedures (TTPs), the less impact attackers will have on your business.

So what types of skills does a cyberthreat hunting team require?

Security operations center (SOC) analysts define cyberthreat hunting as reactive indicators of compromise (IoCs) that lead to an investigation of an incident. IoCs are typically generated by internal security systems such as security information and event management (SIEM), incident response, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and endpoint management tools.

Military and law enforcement intelligence analysts, however, define cyberthreat hunting as the process of proactively identifying, intercepting, tracking, investigating and eliminating IoCs before they impact national security, critical infrastructure and/or citizens.

The truth is they’re both right. There’s a tectonic shift occurring in the cybersecurity community with the convergence and blurring of lines between SOC and intelligence analysts. The challenge is that SOC analysts are not formally trained in intelligence life cycle analysis, and intelligence analysts are not formally trained in incident analysis and response.

The knowledge gap between these two skill sets is quite significant and has to be closed and integrated to build a fully functioning and productive cyberthreat hunting team. It’s also critical for SOCs to grasp the common denominator in both internal (reactive) and external (proactive) cyberthreats: the human element.

Put Methodology Before Technology to Close the Skills Gap

Security teams should take proactive steps to close the skills gap and mature their SOC. First, start with the basic definition of cyberthreat hunting provided above. Next, develop an understanding of the intelligence life cycle tradecraft and apply it to both security and intelligence operations. Finally, create a priority intelligence requirements (PIR) matrix that asks the logical questions of who, what, where, when, why and how regarding the analysis of global, industry-specific, geographic and cyberthreats applicable to your business.

There’s no magic button or technology that will solve all of your security challenges. Through the integrated elements of people, processes, data and technology applied to the “know your enemy” intelligence methodology, you can fully gain insight into how cybercriminals are seeking to target your organization. Putting methodology before technology will serve you well in defining your adversaries’ TTPs and the methods they might use to target your organization.

In a world where the enemy potentially has access to infinite time, money and resources, it’s absolutely critical for the cybersecurity industry to close the knowledge and skills gaps, truly understand the art and science of cyberthreat hunting, and apply that understanding to proactively stop threats before they become a problem.

Download the full report, “What Is Behind the Rise in Threat Hunting?”

More from Threat Hunting

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read

With 40% of Log4j Downloads Still Vulnerable, Security Retrofitting Needs to Be a Full-Time Job

4 min read - Vulnerabilities like Log4j remain responsible for security breaches a full year after the discovery of the flaw. In the months after widespread reporting about the vulnerability, 40% of Log4j downloads remained vulnerable to exploitation. Rapid Response — by Both Security Teams and Hackers What made this exposure so damaging was how widespread this piece of code is and how hard it is to find exactly where it’s used. This open-source logging code from Apache was the most popular java logging…

4 min read