You may have heard the term “chatter” during times of heightened security awareness. This often refers to increased communications pertaining to a common subject, entity, person, organization, location or site. To prevent attacks, it’s critical to identify this information early and respond to it before threat actors can gain a foothold on your network. That’s when we turn to threat hunting, or the process of seeking out potential threats before they become incidents.

Blocking and Tackling Versus Proactive Threat Hunting

Most IT operations only work in reactive mode. In many cases, they wait for an event to transpire and attempt to respond as quickly as possible before it becomes an incident. They may also attempt to anticipate attack methods by monitoring early events, then define controls around these events to block potential attack vectors. We’ll call this the blocking and tackling approach.

The problem with a blocking and tackling strategy is that you are waiting to see if your fences hold up. But what if you could identify bad actors and observe their strategies as they plan to use illicit resources against you? What if you could use this knowledge to shut them down or apply appropriate protection to block their attacks before they are launched?

This is where the value of threat hunting comes into play. The best threat hunting tools quickly correlate nebulous structured data, such as information stored in databases, with unstructured data from files, textbooks, websites, blogs, social media, collaborative forums, surveillance videos and more.

So where does chatter occur? It typically happens over various modes of communication, such as Dark Web forums and semiprivate channels over which bad actors promote their exploitation tools, share thoughts and opinions, and discuss the details of their attacks. Chatter may even begin in public forums, such as common social media outlets, as cybercriminals open discussions to attract, persuade and orchestrate others to participate in sinister schemes.

Threat actors have used these tactics against large and small businesses, local and federal governments, and other entities that hold valuable information. Effective threat hunting can help these organizations quickly identify such efforts and provide insights into the tools perpetrators plan to use in their attacks. This intelligence enables security professionals to get a jump on incident response efforts and minimize the damage.

Turn disparate data into actionable insights with IBM i2 Enterprise Insight Analysis

Why Are Enterprises Slow to Embrace Threat Hunting?

We’re all aware of the importance of threat hunting and the value of threat analysts in law enforcement, military and intelligence agencies, but enterprises have been slow to embrace this proactive strategy as part of their cybersecurity defense.

Until recently, only a few industries were fully committed to consolidating their security staffing and response orchestration. The energy and utilities industry, for example, focuses on critical infrastructure protection, including critical asset identification and protective measures in common oversight. The transportation industry also correlates physical and logical security as a common practice. Why are other industries and government agencies slower to embrace proactive threat hunting?

Have outdated organizational reporting structures prevented enterprises from combining physical and logical security? Chief information officers (CIOs), chief information security officers (CISOs) and their reporting chains are typically focused on the protection, operation, oversight and cost related to data or information access and dissemination. Chief security officers (CSOs) and employees who report to them commonly focus on the physical aspects of security. Their charter is to control and secure physical access around the perimeter, inside buildings and within sensitive areas, and to manage employees, contractors and visitors. They may correlate watchlists with physical access and apply oversight of these controls. In addition, everyone is focused on cost constraints and doing more with less, and tools have lacked the ability to adequately bridge cybersecurity with physical and logical security.

While law enforcement agencies now commonly include cybersecurity within their threat analyst duties, IT organizations largely remain focused on their blocking and tackling efforts.

Prevention Is the Best Defense

I frequently ask IT executives who is monitoring social media to determine whether negative chatter is aimed at their organization, leadership, products or staff. They often respond that someone in marketing oversees this activity, or that it’s not a priority at all. I am optimistic that someday soon executives will answer that question with the proper response: a team of threat analysts.

Given how critical threat hunting is to law enforcement, military and intelligence agencies in thwarting attacks, business leaders need to do a better job of incorporating proactive strategies into security operations. Failing to do so is like going into battle blindfolded.

Take threat hunting to the next level with IBM QRadar Advisor with Watson

More from Threat Hunting

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today