Threat Hunting – A Cybersecurity Paradigm Shift
The internet has become a utility as essential as electricity and water for organizations worldwide. But it’s also an unparalleled security threat, an inviting doorway for global criminal networks.
Malicious hackers still seem to have the upper hand even with billions spent on cybersecurity and a high level of awareness of the growing danger. The 2019 Hiscox Cyber Readiness Report found that 61% of firms reported a “cyber incident,” an increase from 45% a year earlier. The median loss also increased from $229,000 to $369,000, not counting brand damage.1
New defenses are constantly introduced, but those work only until the next weakness is found and exploited.
The relentless attacks on IT networks and systems make it imperative that organizations find new ways to recognize and hunt cyberthreats. Cybercriminals have developed countless ways of avoiding traditional defense measures, so the standard approach is not enough.
An effective new weapon in this back-and-forth battle is “threat hunting.” That is the process of tracking any abnormal or suspicious activity and continuously scanning networks to identify complex threats that were missed by existing security solutions, such as signature-based antivirus software. The purpose of threat hunting is to scrutinize activities on endpoints and servers that show signs of invasion, exfiltration or corruption of data.
What makes this concept different from traditional measures — firewalls, antivirus software, intrusion detection systems, sandboxing and others — is that it is proactive. This approach attempts to track all possible threats and nip them in the bud, thus making sure that business operations are not affected.
Threat hunting implementation
Cyberattackers frequently steal login credentials for confidential accounts and then divert or delete critical data. The results can paralyze business operations, either through the loss of sensitive data or even ransomware.
To effectively head off those dangers, threat hunting must be undertaken in a continuous loop. It is carried out by a team of analysts — “hunters” — who are cybersecurity experts possessing in-depth knowledge of data and malware analysis, pattern recognition, and data forensics.
After collecting massive amounts of data, hunters then study patterns and behavior anomalies on networks and existing devices. That data is then processed and analyzed in detail by telemetry sources. The hunters then manually create a hypothesis and action plan.
As an additional benefit, security analysts get a holistic understanding of the environment being secured. This allows them to apply innovative approaches intuitively.
While a human hand is required, analyzing vast amounts of cybersecurity data without the assistance of technology is impossible. That is why threat hunting platforms, especially ones based on advanced algorithms and machine learning, are critical to detecting network or endpoint abnormalities.
A threat hunter should always possess the following in order to deliver the ideal solution:
- Know-how of operating systems and network protocols.
- Proficiency in coding skills.
- Superior analyzing and reporting abilities.
The SANS Institute’s 2019 threat hunting survey found that few organizations have set up dedicated threat hunting teams and have focused much of their efforts on acquiring technology.
“We question how useful a tool may be in the hands of an unskilled hunter, especially if training is not seen as a critical area to enable hunt teams,” the authors wrote.2
However, finding those skilled hunters is getting more difficult. The number of unfilled cybersecurity positions is expected to grow from 1 million in 2018 to 1.5 million in 2020, according to Gartner.3
Stalking the threat
A threat hunter must have a strong understanding of the environment being secured, its systems and networks, reasons for the security, what is at stake, and even the hunter’s advantages and limitations. And ultimately, you must decide what would be the ideal outcome.
If attackers learn of an enterprise’s security credentials, they will merely modify or change their attack strategies to avoid discovery. Threat hunting procedures should ideally be as private as the attack in order to make adversaries believe they are operating undetected. This gives the hunters opportunities to implement well-thought-out measures to minimize damage and quickly eliminate threats.
An innovative way of securing a company’s IT infrastructure is to create fake credentials and keep track of their usage. As soon as these credentials are used, a threat hunter can alert the stakeholders of a possible attack and secure the business from that specific direction.
As new technology is introduced, threat scenarios and security requirements must evolve. That makes it important for systems to scale up, and adopt and support these digital tools flexibly. Threat hunting solutions at all enterprises need to be highly agile and responsive.
Self-testing is an important practice that should be used by threat hunters periodically. To assess the robustness of a system, it is always a good idea to create simulated attacks and record the rates and manners of system infiltration. Threat hunters can use these results to secure their organizations.
Threat hunting feasibility
Existing security solutions — based on old mindsets and antiquated threats — are no longer sufficient. But threat hunting won’t replace all other approaches to cybersecurity either. Instead, it is expected to emerge as the leading tool to fight advanced persistent threats and fill the gaps that other techniques miss.
Heading off security threats in advance pays off with quick detection, faster response and successful denial of exploits that can devastate business operations. An enterprise today is only as good as its security.