THREAT HUNTING: AUTOMATION & BEING PROACTIVE -PART 1
There is often a fallacy in the world of cybersecurity that simply implementing various types and kinds of security technologies towards the lines of defenses of a business will mean greater levels of protection.
While in theory this may be true, reality often dictates the opposite of this. By simply deploying various security tools, you are actually increasing the attack surface for the cyber attacker. For example, a Chief Information Officer or a Chief Information Security Officer may think that deploying ten firewalls is better than just having one in place; but with this thinking, they have given the cyberattacker nine more avenues in which to attack the vulnerabilities and weaknesses of the IT infrastructure.
Instead, it is far better to spend the critical financial resources for perhaps just two firewalls but making sure that they are strategically placed where they are needed most and will have the most effect.
This kind of mindset of determining where security assets need to be placed is very proactive. The CIO/CSIO and their IT Security staff are taking the time to discover what areas are most at risk in their organization, what tools will be most effective and where. Rather than spending money in a haphazard fashion, these officers are narrowing down their defenses.
This proactive way of thinking needs to be extended to the world of threat hunting as well. In threat hunting, IT security staff are using various methodologies and tools in order to scope out and mitigate the risks of any cyber threats that are lurking from within their IT Infrastructure.
Being a successful threat hunter on a daily basis requires that the CIO/CISO and their IT security staff go above and beyond the proverbial “extra mile.” This article reviews how IT security staff can be successful at threat hunting.
A Formal Definition of Proactive Threat Hunting
A formal definition of proactive based threat hunting is as follows:
“[It] is the process of proactively searching through networks or datasets to detect and respond to advanced cyberthreats that evade traditional rule- or signature-based security controls. Threat hunting combines the use of threat intelligence, analytics, and automated security tools with human intelligence, experience and skills.”
In other words, there are two sub components of this definition:
- Being proactive in any type of threat hunting exercise means that the CIO/CISO has to break away from the conventional ways of thinking and have the ability to “think out of the box.” For instance, what works in one situation more than likely will not work in another because the cyberthreat landscape is dynamically changing.
- Being proactive simply doesn’t involve the use of the latest and most sophisticated of threat hunting tools. It takes not only that, but also the use of reliable information and data as well as deep motivational levels, experience and technical know-how from the IT security staff.
This is illustrated in the diagram below:
Despite the importance of threat hunting in cybersecurity today, not too many businesses and corporations are implementing it, which is shown through these stats in a recent survey in which 306 organizations were polled:
- Only 27 percent of the respondents actually had a well-defined threat hunting methodology and were actually utilizing it;
- Only 45 percent of the respondents had a formal plan in place in order to launch and execute a specific threat hunting exercise.
Here are some other stats about organizations’ threat hunting:
- 88 percent of businesses feel that their existing threat hunting approaches need to be greatly improved;
- 56 percent of organizations feel that conducting a threat hunting exercise with their own resources (or “in-house”) takes too long and consumes resources from carrying out other IT security related duties;
- 53 percent of organizations feel that their threat hunting methodologies and activities are actually “tipping off” cyberattackers.
So, why are businesses and corporations not taking a proactive approach to threat hunting? Here are some reasons why:
- The use of different tools can make threat hunting a very time-consuming proposition;
- The collection of information and data can be a very labor-intensive process which requires third part involvement and verification;
- There is not enough time to conduct proactive based threat hunting exercises because the IT security staff has to respond to many false alarms that are sounded off on a daily basis;
- Threat hunting can be a huge financial drain;
- Threat hunting requires a special kind of mindset – recruiting candidates for this specific talent can be very difficult.
Despite these above-mentioned obstacles, proactive threat hunting is still an essential function for every business and corporation, and it can be achieved. In our next post, we examine how your IT security staff can actually initiate the threat hunting process and the various components that are involved with it.