From Rome to Mexico City, as my IBM Security colleagues and I have traveled the world teaching cyberthreat hunting, we’ve found a multitude of differing opinions about who is and isn’t a target for cyberattacks.

One attendee at a recent workshop even stated: “My bank isn’t a target for a cyberattack because our country isn’t seen as a major globalized economy.”

The reality, however, is that your organization is always a target. Whether you’re a target of choice or a target of opportunity, it’s not a matter of if you’ll be attacked, but when. There’s even a possibility that attackers are already dwelling within your network and have been for some time.

For example, in 2018, 18 million new malware samples were captured and more than 4,000 ransomware attacks occurred, according to the 2018 Threat Hunting Report. And yet, 52 percent of organizations that suffered a successful cyber-attack in 2017 didn’t make any meaningful structural changes to their security posture in 2018. Some of the reasons companies aren’t investing to protect their most valuable assets include:

  • Lack of education, training and understanding of the rapidly changing network of bad actors and security landscape
  • Overwhelmed by the volume of options and often confusing solutions in the market
  • Unable to transition from a reactive information-driven operations model to more proactive actionable-intelligence
  • Inability to understand actual business risk and costs associated with protection
  • Lack of qualified staff to adequately transform information into intelligence to secure the enterprise
  • False sense of security with their current state
  • Small percentage of advanced threats can have dramatic, negative revenue and brand impact
  • Unable to “connect the dots” across diverse data sets
  • Security market fragmentation and confusion

The sheer number of attacks, changing methods, number of growing community of actors, open market of malicious code, and the lack of internal resources make securing your business assets a challenge. So how does the SOC modernize while dealing with all of these compounding factors of not enough time, money or resources?

Watch the on-demand webinar: Know Your Enemy — Proactive Cyber Threat Intelligence and Threat Hunting

Make the First Move With a Strong Cyberthreat Hunting Team

One of the best ways to get out ahead of malicious actors is with cyberthreat hunting, the act of proactively and aggressively eliminating adversaries as early as possible in the Cyber Kill Chain. The quicker you can locate and track your adversaries’ tactics, techniques and procedures (TTPs), the less impact attackers will have on your business.

So what types of skills does a cyberthreat hunting team require?

Security operations center (SOC) analysts define cyberthreat hunting as reactive indicators of compromise (IoCs) that lead to an investigation of an incident. IoCs are typically generated by internal security systems such as security information and event management (SIEM), incident response, intrusion detection systems (IDS) and intrusion prevention systems (IPS), and endpoint management tools.

Military and law enforcement intelligence analysts, however, define cyberthreat hunting as the process of proactively identifying, intercepting, tracking, investigating and eliminating IoCs before they impact national security, critical infrastructure and/or citizens.

The truth is they’re both right. There’s a tectonic shift occurring in the cybersecurity community with the convergence and blurring of lines between SOC and intelligence analysts. The challenge is that SOC analysts are not formally trained in intelligence life cycle analysis, and intelligence analysts are not formally trained in incident analysis and response.

The knowledge gap between these two skill sets is quite significant and has to be closed and integrated to build a fully functioning and productive cyberthreat hunting team. It’s also critical for SOCs to grasp the common denominator in both internal (reactive) and external (proactive) cyberthreats: the human element.

Put Methodology Before Technology to Close the Skills Gap

Security teams should take proactive steps to close the skills gap and mature their SOC. First, start with the basic definition of cyberthreat hunting provided above. Next, develop an understanding of the intelligence life cycle tradecraft and apply it to both security and intelligence operations. Finally, create a priority intelligence requirements (PIR) matrix that asks the logical questions of who, what, where, when, why and how regarding the analysis of global, industry-specific, geographic and cyberthreats applicable to your business.

There’s no magic button or technology that will solve all of your security challenges. Through the integrated elements of people, processes, data and technology applied to the “know your enemy” intelligence methodology, you can fully gain insight into how cybercriminals are seeking to target your organization. Putting methodology before technology will serve you well in defining your adversaries’ TTPs and the methods they might use to target your organization.

In a world where the enemy potentially has access to infinite time, money and resources, it’s absolutely critical for the cybersecurity industry to close the knowledge and skills gaps, truly understand the art and science of cyberthreat hunting, and apply that understanding to proactively stop threats before they become a problem.

Download the full report, “What Is Behind the Rise in Threat Hunting?”

More from Threat Hunting

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

RomCom RAT Attack Analysis: Fake It to Make It

The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…

A Perfect Storm: 7 Reasons Global Attacks Will Soar in 2023

In 2023, the global annual cost of cyber crime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report. This seemingly enormous figure might still be a major underestimate. In 2021, U.S. financial institutions lost nearly $1.2 billion in costs due to ransomware attacks alone. That was a nearly 200% increase over the previous year. If we continue at that rate, next year could see global costs approaching $16 trillion. Why might costs be so high? Here…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…