Kevin Whartenby, Security Advisory Services Manager for Intelligent Security Operations at DXC Technology, looks at why threat hunting is becoming incredibly important – especially given organisations are often on the back foot in terms of the size of their threat hunting team vs. the much bigger criminal organisations.
Why is threat hunting becoming an increasingly important tool for cybersecurity teams?
Threat hunting has gotten a lot of publicity lately, but even with all the coverage in the press it’s still largely misunderstood. Threat hunting is not about identifying random zero-day attacks – at its best, threat hunting uses intelligence, experience, software tools, network data, a solid methodology and automated metrics, to ferret out information on previously unknown attacks by threat actors.
One other key aspect of successful threat hunting is seeking to understand the motivations of attackers. Was it a nation-state operation? Was it part of a complex corporate espionage program? Or was the attack strictly cybercriminals seeking financial gain? If money was the primary motivator, how will the bad threat actor monetise the information they are stealing?
These are the type of attacks in which threat actors plan to not spend several days, but months or years infiltrating your network, systems and databases. Threat hunting goes back to a basic method of security, to look for signs of malicious activity proactively and at the earliest possible stage of an attack.
What do you need to look for when putting together an effective threat hunting team?
Effective threat hunting requires skilled people to ensure you are quickly finding the most sophisticated of cyberattacks being launched on your organisation. You need to be able to find, retain and train talent. You should start by having at least two experienced threat hunters to supplement existing incident response capabilities. Then to further build your team, look for people with experience in digital forensics and incident response, as well as people who understand how intrusions occur and the type of artefacts that are left as subtle traces of an intrusion.
Ultimately, you need people who understand how the mindset of threat actors; those that can uncover how they are able to quietly move laterally throughout an organisation and what mechanisms they use to mask their activities.
Due to the overwhelming volume of alerts that security solutions can generate, the entire team needs to be competent and able to quickly review and differentiate the events that are meaningful and critical – in comparison to those that are unsophisticated and not targeted.
What is the role of data in an effective threat hunting initiative?
The data may start with threat intelligence, but threat hunters will need data from a broad cross-section of sources. This includes things like end-point logs and volatile system and network data, firewalls, NetFlow and DNS information, as well as data sources being aggregated into a security information and event management (SIEM) platform.
By providing this kind of varied data, the threat hunters will have greater visibility across the enterprise. This allows teams to quantify exactly what’s going on and then to develop appropriate tactical and strategic plans to counter the actions of the threat actor. Quality data is essential to help threat hunting teams make well-informed decisions once the malicious activity has been found, it provides the information security teams need to understand, assess and react to a threat.
How can the value of a threat hunting team be highlighted to the board?
In short, organisations need to achieve ROI from their threat hunting activities in order to secure future investment. For the most part, the metrics that are of the most value include whether the ‘dwell’ time of the threat actors inside the network has been reduced, along with the ability of the organisation and its security team to reduce the time it takes to remediate and repair a breach.
Threat hunting will not prove its value or be effective on an ad-hoc basis but needs to be consistent and well planned to ensure no interference with the organisation’s daily activities. Many organisations still have a long way to go to improve their threat hunting capabilities, with a recent report finding more than half of respondents were unsatisfied with the time it currently takes to hunt for threats.
How can businesses attain the upper hand vs larger criminal organisations?
Threat hunters must all work together and collaborate across teams – it just doesn’t work if they are all working off different scripts. There are four aspects to the methodology: consistency of purpose, developing detailed documentation, using standard methods of communication for sharing information and relevancy (for example, daily calls or meetings to review what was learned in the last day). It’s also important to make sure any information being pursued relates back to the incident under review.
When threat hunters do their job, the organisation will learn both the nature of the attack, plus the motivations of the threat actors. But to succeed in this dynamic threat environment, it takes skill and commitment to build and maintain an effective programme.
Click below to share this article
