Threat Hunting March 7, 2018
By Michael Melore 3 min read

You may have heard the term “chatter” during times of heightened security awareness. This often refers to increased communications pertaining to a common subject, entity, person, organization, location or site. To prevent attacks, it’s critical to identify this information early and respond to it before threat actors can gain a foothold on your network. That’s when we turn to threat hunting, or the process of seeking out potential threats before they become incidents.

Blocking and Tackling Versus Proactive Threat Hunting

Most IT operations only work in reactive mode. In many cases, they wait for an event to transpire and attempt to respond as quickly as possible before it becomes an incident. They may also attempt to anticipate attack methods by monitoring early events, then define controls around these events to block potential attack vectors. We’ll call this the blocking and tackling approach.

The problem with a blocking and tackling strategy is that you are waiting to see if your fences hold up. But what if you could identify bad actors and observe their strategies as they plan to use illicit resources against you? What if you could use this knowledge to shut them down or apply appropriate protection to block their attacks before they are launched?

This is where the value of threat hunting comes into play. The best threat hunting tools quickly correlate nebulous structured data, such as information stored in databases, with unstructured data from files, textbooks, websites, blogs, social media, collaborative forums, surveillance videos and more.

So where does chatter occur? It typically happens over various modes of communication, such as Dark Web forums and semiprivate channels over which bad actors promote their exploitation tools, share thoughts and opinions, and discuss the details of their attacks. Chatter may even begin in public forums, such as common social media outlets, as cybercriminals open discussions to attract, persuade and orchestrate others to participate in sinister schemes.

Threat actors have used these tactics against large and small businesses, local and federal governments, and other entities that hold valuable information. Effective threat hunting can help these organizations quickly identify such efforts and provide insights into the tools perpetrators plan to use in their attacks. This intelligence enables security professionals to get a jump on incident response efforts and minimize the damage.

Turn disparate data into actionable insights with IBM i2 Enterprise Insight Analysis

Why Are Enterprises Slow to Embrace Threat Hunting?

We’re all aware of the importance of threat hunting and the value of threat analysts in law enforcement, military and intelligence agencies, but enterprises have been slow to embrace this proactive strategy as part of their cybersecurity defense.

Related: Peeling Back the Onion on Threat Hunting

Until recently, only a few industries were fully committed to consolidating their security staffing and response orchestration. The energy and utilities industry, for example, focuses on critical infrastructure protection, including critical asset identification and protective measures in common oversight. The transportation industry also correlates physical and logical security as a common practice. Why are other industries and government agencies slower to embrace proactive threat hunting?

Have outdated organizational reporting structures prevented enterprises from combining physical and logical security? Chief information officers (CIOs), chief information security officers (CISOs) and their reporting chains are typically focused on the protection, operation, oversight and cost related to data or information access and dissemination. Chief security officers (CSOs) and employees who report to them commonly focus on the physical aspects of security. Their charter is to control and secure physical access around the perimeter, inside buildings and within sensitive areas, and to manage employees, contractors and visitors. They may correlate watchlists with physical access and apply oversight of these controls. In addition, everyone is focused on cost constraints and doing more with less, and tools have lacked the ability to adequately bridge cybersecurity with physical and logical security.

While law enforcement agencies now commonly include cybersecurity within their threat analyst duties, IT organizations largely remain focused on their blocking and tackling efforts.

Prevention Is the Best Defense

I frequently ask IT executives who is monitoring social media to determine whether negative chatter is aimed at their organization, leadership, products or staff. They often respond that someone in marketing oversees this activity, or that it’s not a priority at all. I am optimistic that someday soon executives will answer that question with the proper response: a team of threat analysts.

Given how critical threat hunting is to law enforcement, military and intelligence agencies in thwarting attacks, business leaders need to do a better job of incorporating proactive strategies into security operations. Failing to do so is like going into battle blindfolded.

Take threat hunting to the next level with IBM QRadar Advisor with Watson

 |  |  |  | 
Michael Melore
Cyber Security Advisor, IBM

More from Threat Hunting
August 16, 2023

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

August 15, 2023

Threat hunting 101: How to outthink attackers

6 min read - Threat hunting involves looking for threats and adversaries in an organization’s digital infrastructure that existing security tools don't detect. It is proactively looking for threats in the environment by assuming that the adversary is in the process of compromising the environment or has compromised the environment. Threat hunters can have different goals and mindsets while developing their hunt. For example, they can look for long-term threats in the environment that advanced threat actors can exploit. Or they can look for…

August 10, 2023

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

August 3, 2023

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature