When Blocking and Tackling Strategies Fail, Take a Page Out of the Threat Hunting Playbook
You may have heard the term “chatter” during times of heightened security awareness. This often refers to increased communications pertaining to a common subject, entity, person, organization, location or site. To prevent attacks, it’s critical to identify this information early and respond to it before threat actors can gain a foothold on your network. That’s when we turn to threat hunting, or the process of seeking out potential threats before they become incidents.
Blocking and Tackling Versus Proactive Threat Hunting
Most IT operations only work in reactive mode. In many cases, they wait for an event to transpire and attempt to respond as quickly as possible before it becomes an incident. They may also attempt to anticipate attack methods by monitoring early events, then define controls around these events to block potential attack vectors. We’ll call this the blocking and tackling approach.
The problem with a blocking and tackling strategy is that you are waiting to see if your fences hold up. But what if you could identify bad actors and observe their strategies as they plan to use illicit resources against you? What if you could use this knowledge to shut them down or apply appropriate protection to block their attacks before they are launched?
This is where the value of threat hunting comes into play. The best threat hunting tools quickly correlate nebulous structured data, such as information stored in databases, with unstructured data from files, textbooks, websites, blogs, social media, collaborative forums, surveillance videos and more.
So where does chatter occur? It typically happens over various modes of communication, such as Dark Web forums and semiprivate channels over which bad actors promote their exploitation tools, share thoughts and opinions, and discuss the details of their attacks. Chatter may even begin in public forums, such as common social media outlets, as cybercriminals open discussions to attract, persuade and orchestrate others to participate in sinister schemes.
Threat actors have used these tactics against large and small businesses, local and federal governments, and other entities that hold valuable information. Effective threat hunting can help these organizations quickly identify such efforts and provide insights into the tools perpetrators plan to use in their attacks. This intelligence enables security professionals to get a jump on incident response efforts and minimize the damage.
Why Are Enterprises Slow to Embrace Threat Hunting?
We’re all aware of the importance of threat hunting and the value of threat analysts in law enforcement, military and intelligence agencies, but enterprises have been slow to embrace this proactive strategy as part of their cybersecurity defense.
Until recently, only a few industries were fully committed to consolidating their security staffing and response orchestration. The energy and utilities industry, for example, focuses on critical infrastructure protection, including critical asset identification and protective measures in common oversight. The transportation industry also correlates physical and logical security as a common practice. Why are other industries and government agencies slower to embrace proactive threat hunting?
Have outdated organizational reporting structures prevented enterprises from combining physical and logical security? Chief information officers (CIOs), chief information security officers (CISOs) and their reporting chains are typically focused on the protection, operation, oversight and cost related to data or information access and dissemination. Chief security officers (CSOs) and employees who report to them commonly focus on the physical aspects of security. Their charter is to control and secure physical access around the perimeter, inside buildings and within sensitive areas, and to manage employees, contractors and visitors. They may correlate watchlists with physical access and apply oversight of these controls. In addition, everyone is focused on cost constraints and doing more with less, and tools have lacked the ability to adequately bridge cybersecurity with physical and logical security.
While law enforcement agencies now commonly include cybersecurity within their threat analyst duties, IT organizations largely remain focused on their blocking and tackling efforts.
Prevention Is the Best Defense
I frequently ask IT executives who is monitoring social media to determine whether negative chatter is aimed at their organization, leadership, products or staff. They often respond that someone in marketing oversees this activity, or that it’s not a priority at all. I am optimistic that someday soon executives will answer that question with the proper response: a team of threat analysts.
Given how critical threat hunting is to law enforcement, military and intelligence agencies in thwarting attacks, business leaders need to do a better job of incorporating proactive strategies into security operations. Failing to do so is like going into battle blindfolded.