Sameer Basha, Security Consultant GCC, Check Point Software Technologies – Middle East, discusses the importance of using threat hunting to defend against attackers on a network, as well as how threat hunting is beneficial to operations and creates a resilient cyber infrastructure.
What is threat hunting and why is it relevant to CISOs?
Threat hunting is a proactive approach for finding and remediating undetected cyberattacks. It is a process that involves searching for indicators of compromise (IoC), investigating, classifying and remediating. It is the practice of searching for cyberthreats that might otherwise remain undetected in your network. Threat hunting can be IoC-driven, in which the hunter investigates an indicator provided by external or internal sources. It can also be hypothesis-driven, in which the hunt begins with an initial hypothesis or question.
CISOs want to have this tool to proactively hunt and investigate incidents based on indicators provided by threat alliances, open-source intelligence (OSINT), or external intelligence. Proactive remediation is always better than a reactive one.
What types of threats can be found on the network and how do threat hunting techniques help to tackle these?
Many businesses are trying to protect their IT environments against current attacks with security technologies that are now obsolete. They are stuck in the world of second and third generation security, which only protects against viruses, application attacks and payload delivery. Networks are left exposed to threats like C&C communication, ransomware attacks, phishing attacks, spear phishing, man in the middle (MitM) attacks, Denial of Service or Distributed Denial of Service (DDoS). Threat hunting enables organisations to proactively find such attacks in their infrastructure and remediate them in initial stages. In the absence of threat hunting, the attacks will be detected in a reactive manner and in many cases after considerable damage has been done to the business.
Can you describe your threat hunting strategy and how this helps to avoid potential cyberattacks?
Check Point Software Technologies has taken a holistic approach to provide a threat hunting feature across the network, endpoint, email, mobile, IoT and cloud infrastructure. Check Point has developed the infinity portal that enables customers to consolidate their security vision under a single platform that helps in minimising their risks, accelerating their operations and optimising their security investments. Infinity vision XDR is an offering on the infinity portal which automatically detects and remediates threats. It consolidates all the events generated by all the Check Point products. By utilising the infinity XDR, Check Point customers can hunt for indicator of comprise across the entire infrastructure. Check Point is also offering Synchronicity service to customers where Check Point Security Operation and incident response experts will proactively monitor, hunt for threats and remediate them across the board.
What is the role of threat hunting in business and how does it work as a combined approach with technology?
Cybersecurity is a business enabler and threat hunting, therefore, is a very important tool to proactively prevent cyberattacks and keep the business functional. It involves using manual and software-assisted techniques to detect possible threats that have eluded other security systems. In addition to having a threat hunting process linked to information security policy, an organisation should choose the right technology that meets their business requirements. Threat hunting is necessary simply because no cybersecurity protections are always 100% effective. An active defence is needed, rather than relying on ‘set it and forget it’ security tools.
How is threat hunting beneficial to operations and how does it create a resilient cyber infrastructure?
Proactively detecting threats keeps business operations functional. Identifying cyberattacks before they spread can save weeks of business disruption and damage to reputation. Threat hunting is an important component of cyber-defence infrastructure as it aids in detecting cyberattacks at very initial stages and thereby adds more resilience to the cyber infrastructure.
How do automation tools such as AI and ML contribute to the process?
AI and Machine Learning (ML) can enhance the threat hunting process to a great extent. Threat hunting tools depend on IoC information and are supplied via play books or pre-defined queries. ML generates new threat hunting leads based on suspicious and abnormal behaviours which stay under the radar. It can also prioritise leads based on likelihood calculated by Machine Learning. In summary, Machine Learning can enable faster collaboration of play books to reduce the attack detection time, false positives and provide predictive queries based on previous cyberattacks.
What best practice advice would you offer other security leaders intending to use this process to secure their network?
Collecting an adequate quantity of high-quality data, as poor quality data inputs will result in ineffective threat hunting. Data collected can include log files, servers, network devices, databases and endpoints. Threat hunters must search for patterns and potential indicators of compromise (IoCs). If you’re monitoring, you must have someone looking at the logs. Too often, organisations don’t have enough resources and manpower to dedicate to ongoing intrusion detection monitoring and then respond accordingly. Proactively hunting threats is a must for every organisation and is a continuous process. Organisations need to develop a process for threat hunting linked to their information security policy. Organisations should choose the right tool that meets their requirements and have the right skillset to execute the threat hunting process.
Looking ahead, how should organisations include threat hunting in their cybersecurity approach?
Considering the cybersecurity landscape, threat hunting is a must today. Every organisation should have a threat hunting process derived from their information security policy. Based on their business needs, they should adopt a tool for threat hunting. If they don’t have internal resources to carry out the procedure, they should look for outsourced partners who can offer threat hunting as a service provided that the administrative controls like NDA and contracts are in place. Using manual and software-assisted techniques to detect possible threats that have eluded other security systems can be effective. More specifically, tasks like:
- Hunting for threats existing within the organisation; anything an attacker could implant to exfiltrate information and cause damage
- Hunting for threats proactively that arise anywhere worldwide
- Setting a trap and essentially waiting for threats to hunt you
