Despite the constant onslaught of news reports of cyber-attacks, around the world, countless organizations take a reactive approach (i.e. incident response) to information security. All too often, the first sign that an attack is in process on an organization’s network is after they receive an alert. Unfortunately, by this stage, there is a very good chance it’s too late to stop the attack.
Incident Response: The process by which an organization manages a data breach or cyberattack, including the way the organization seeks to limit the negative ramifications of the attack, breach or incident. The key objective of incident response is to efficiently manage the incident to ensure damage is kept to a minimum. Essentially, incident response attempts to minimize recovery time, costs, as well as brand damage and customer confidence.
Year after year, attackers are refining their skillsets and their attack methodologies are increasing in complexity. Further, many of these threat actors are stealthy enough to stay under the radar, sometimes for months on end, until their final objective is in focus. A great example of this is ransomware, which stealthily infiltrates a computer, only announcing its presence once it has completed encrypting the user’s files.
In order for any organization to get ahead of these threats, it must develop a more proactive approach to security. Security teams must be able to identify infections while they are still in the, previously mentioned, “stealth” phase. Only by doing so, will a security team have a chance at remediating the problem before it can inflict significant damage to the organization. In order to accomplish this task, any organization’s security team needs to know how to threat hunt, or at least, which third party organizations and tools, can assist in the process.
Defining Threat Hunting
As we have just established, threat hunting is the proactive security approach of going after cyber threats as opposed to waiting for an alert to begin an investigation and the remediation process. The more rapidly a security team can identify and remediate a threat, the less damage any given threat can inflict on the target organization.
Unfortunately, a more proactive approach to security, like threat hunting, is significantly more demanding than a reactive approach. For instance, in a reactive approach, security teams are led right to the threat intrusion as alerts have exposed the attacker’s presence in the network. In the instance of threat hunting, security teams have no idea if a threat is currently residing on the network, as well, if there is a threat present, security teams have no indication as to what or where to look for one. Thus, threat hunting involves a lot more strategy to allow a security team to systematically identify, with a scientific approach, all potential threat scenarios if they are to neutralize the threat before it’s able to cause a problem.
Benefits of Threat Hunting
As previous mentioned, threat hunting itself comes with some inherent difficulties, which discourages many security teams. The ability to successfully threat hunt involves an experienced team with access to the proper tools and information to perform the process effectively. However, a security team that commits to the demands inherent to threat hunting will be gifted with several advantages. Below, we have provided a non-exhaustive list:
Superior Frame of Reference: In the instance of a reactive cyber security approach, security teams zero in on a target, really only providing a limited view of the current state of security in any given network. As well, this approach relies on after-the-fact alerts, limited by the available information provided in-place tools. In stark contrast, threat hunting involves sweeping a myriad of potential threats that may be otherwise undetected using strictly reactive alerting systems.
Proactive: As previously indicated, with threat hunting, a security team is able to locate, recognize and remediate any potential threats earlier on in an attacker’s process. The resulting monetary savings could keep an organization in the business, by avoiding financial upset, business interruption, and damage to customer confidence.
Lessons Learned: As effective as any security strategy can be, it is quite unlikely that any team of professional threat hunters will catch all intrusions. In these scenarios, all is not lost, by reviewing past data, a security team identify any misses and take remediating action accordingly.
As previously noted, threat hunting involves a more scientific approach to security; a security team forms and tests a series of hypotheses with the goal of identifying a threat in the network, or alternatively, proving the lack of. Using the information compiled from threat hunting, an organization will have the improved ability to detect existing threats to their systems, as well as a greater knowledge of their existing security posture.
In addition, the threat hunting model is additive, constantly evolving as the hunters seeks to perfect their process of identifying any given threat to the network. Further, even if the outcome of the hunt was refuting a proposed hypothesis, the mechanism of detection may be added to the security teams tool box.
Summary and Complimentary Services
Whereas threat hunting is a continual process that an organization must undertake, there are two key security elements that are implemented on an intermittent, or as required basis; incident response and penetration testing. The level of maturity an organization must possess to engage in active threat hunting, is sometimes prohibitive. Because of this, many organizations resort to incident response, or the reactive approach to a security, pursuing resolution only after the damage has been done. Understanding this is a poor approach, it is in an organizations best interests to pursue a more proactive form of security. This is where penetration testing shines.
Penetration testing, ideally performed on at least an annual basis, and any time a significant change has been implemented, is the most proactive practice in cyber security, holding significant value beyond incident response and threat hunting. Whereas threat hunting involves pursuing in-process threats, penetration testing seeks to identify vulnerabilities before they can be exploited in the first place.
A key advantage of penetration testing is that it is a process that engages an organization’s security from the perspective of a threat actor. Ultimately, penetration testers are ethical hackers, whose job it is to identify an organizations’ vulnerabilities to allow remediation prior to exploitation. It is an invaluable service, with benefits reaching well beyond basic security measures. As they say in medicine, an ounce of prevention is worth a pound of cure. If you would like to learn more about how your organizations can leverage the services our team of skilled professionals have to offer, please contact us today!