5 minute read
TIME TO BRING IN THE THREAT HUNTERS
AS DIGITAL TRANSFORMATION AND THE POST PANDEMIC RAISE THE BUSINESS VALUE OF AN ORGANISATION BEING ONLINE AND AVAILABLE, LARGE ENTERPRISES AND CRITICAL BUSINESSES NEED TO CONSIDER THE SERVICES OF ADVANCED THREAT HUNTERS, EXPLAINS ROHIT BHARGAVA, PRACTICE HEAD - CLOUD & SECURITY FROM CLOUD BOX TECHNOLOGIES.
As organisations pivot around digital transformation and make the organisation increasingly agile to combat post pandemic challenges, the stakes around the impact of any type of cybersecurity attack are continuously spiraling upwards. Whether it is ransomware or damage to industrial assets or business interruption or loss of data integrity, market leaders in any industry cannot afford to see their business impacted in any way.
Advertisement
With threat actors continuously innovating their modus operandi, and their movements inside organisations, there is a need for enterprises and mission critical organisations, which are usually the targets for advanced threat actors, to look beyond conventional tools.
One possibility is to use a skilled human approach to track threat actor movements inside an organisation’s networks and look for anomalies not picked up by day-to-day tools and alerts. Some sources indicate that over 50% of breaches are undetected by existing cyber security defense tools.
Existing defensive cybersecurity tools are like a camera pointed at the door that is triggered by the definition of a known enemy. And what if the enemy does not match the definition of a known enemy? The camera will not flash!
Today’s modern threat actors leverage multi-stage, delayed detection techniques, avoiding detection for weeks and months. And the process of detecting such delayed penetration techniques is through proactive cyber security activities. Proactive cybersecurity detects, isolates, remediates, threats which defensive cyber security tools have missed or wrongly identified as non-threatening.
A key part of proactive cyber security is threat hunting, which is the process of searching through networks and data logs to detect and respond to threats that deviate from traditional rules and signature-based controls. Threat hunting is therefore a proactive approach towards threat detection, isolation and remediation.
Threat hunting is executed by threat hunters, who are typically highly skilled cyber security professionals who proactively find cybersecurity threats and neutralise them before they compromise an organisation. This is a much newer extension of the security analyst’s job role and is meant to identify and neutralise advanced threats that have evaded a security operation center’s standard detection routine.
The threat hunter presumes a breach has already occurred and a threat actor exists, is hidden, but can be detected by looking for traces of their covert activity. The threat hunter separates out the unusual from the usual, by removing the everyday noise of the organisation’s user, network, application, and data activity. They are in search for an as-yet unknown but presumed to exist somewhere activity of an existing but hidden threat actor.
The key success factor here is to detect and neutralise threat actors operating in an organisation’s network before they can execute their operations.
Threat hunting combines data from an advanced security solution with analytical and technical skills of a security professional or a team of threat hunting professionals. They scan data from a suitable solution and look for signs of compromise, lateral movement trails, and artifacts of threat actor activity.
Digital forensics and incident response tools on the other hand act in a post facto manner. They come into play for an organisation only after an incident has been detected. Penetration testing and vulnerability assessment also act in an abstract manner, without taking into consideration the existing real-life condition of the end customer.
The basis of advanced threat hunting is when a threat hunters scans indicator of compromise to look for disjointed clues of threat actor activity. This precludes that the various cyber security solutions have raised an optimum level of alerts and the analyst is not swamped by an ocean of false alerts.
The existing cyber security solutions of an organisation such as endpoint detection and response must be efficient and effective. Threat hunting is not a substitute for standard cyber security solution that must do their job and limit the ocean of false positives.
Detecting advanced threats is the most challenging of all cyber security tasks. The barriers for this role are enhanced if the organisation has limited skill set and resources, is faced with a deluge of daily false positives, has a set of cyber security solutions that are not set up optimally, and has not established organisation wide security policies to automate deviations and alerts.
Finding a suitable and skilled security partner to manage these operational challenges is a good start and can pave early returns and benefits.
While there is continuous innovation around automation of cyber security solutions to reduce the workload on security professionals, the same innovation is underway with threat actors as well. Adding the element of human skills through internal or outsourced threat hunting can help to isolate insider attacks and highly targeted attacks.
Requirements for advanced threat hunting
• Visibility into the network, data from end points, system and event logs, user behavior data, encrypted traffic, denied connections, peripheral device activity, unmanaged end points, IoT devices, mobile devices, running services. • Tools that can provide search, contextualise the data, reduce the amount of manual work to scan logs. • Confidence in the various cyber security solutions deployed to consolidate sufficient data and remove excessive false positives. • There must a working hypothesis for the searches and a basis for verification of an assumption. Example, has a recently joined employee within X days accessed a data folder ABC?
Which activity around data folder DEF exceeded N times above normal for an employee of Y years of employment? • Access to public and open-source feeds of threat intelligence or alternatives such as SANS Institute, Mitre ATT&CK framework, and others. • Understanding of an organisation’s workflows, where it keeps its crown jewels or core data, which activities could mask threat actor activities? • Which activities create large amount of user and network activity that would deviate from the normal baseline such as creating a department, merger of an entity, activation of assets. • If threat hunting is a scheduled activity and not round the clock, due to limited resources, then it may not be effective, and it may be more useful to outsource this activity to a competent security partner.
