Why Use Cyber Threat Hunting?
It probably comes as no surprise that cybersecurity attacks are getting more sophisticated; more varied; and they’re increasing in scope. For example, in 2017, there was a 91% increase in distributed denial-of-service (DDoS) attacks1, a 600% increase in IoT-based attacks2, and an 8,500% increase in cryptominer detections3.
Since the average targeted malware compromise is present for 205 days before detection, there needs to be a better way of finding and mitigating threats. Gartner recommends shifting budget from prevention to detection and remediation approaches.2
In the digital world, the pace of change is already too fast to anticipate every type of advanced attack. Clearly preventative measures cannot possibly avert every breach; therefore, security analysts should always be working under the assumption that the adversary has already penetrated the network.
Organizations should invest in both people and technology to combat cyber adversaries, rather than simply cleaning up after the compromise. This is where threat hunting fits in.
Cyber threat hunting defined
Cyber threat hunting is a fusion of people, technology and processes aimed at defeating or outsmarting advanced attackers that have gained and retained access to your organization’s network. It is an analyst-centric process that proactively and iteratively searches through networks to detect and isolate advanced persistent threats that bypass both preventative and detective measures. Cyber threat hunting enables you to uncover threats that would otherwise remain hidden.
Many security analysts will recognize that they have been doing this type of activity, at least in part, long before the term threat hunting appeared. The simple fact is, cyber threat hunting is an investigative mindset fed by curiosity and the recognition that the attacker is an intelligent human being, not just a simple “bot.” And, this adversary is constantly evolving his or her threats, looking for new ways to defeat your defenses.
Cyber threat hunting is about the dedicated effort by an analyst who purposely sets out to identify and counteract adversaries who may already be in the environment. Therefore, threat hunting requires some specific analytic skills, such as familiarity with the network and systems, and the ability to generate and investigate hypotheses.
By definition, you cannot fully automate threat hunting. However, many tools may make skilled threat hunters more effective. Some tools that can supplement the analyst include:
- Analytics – network/security behavior anomaly detection
- Vulnerability scanning – enterprise risk assessments, company- or employee-level trends
- Threat intelligence– threat intelligence feeds, blacklists, malware analysis, etc.
- SIEM and log management – log data and log-related anomaly detection
- And more
Why cyber threat hunting?
The type of adversaries we are talking about here are not frustrated by firewalls and anti-virus protection alone and will work under the assumption that automated defenses are already in place. On the other hand, threat hunters are not simply waiting to respond to alerts or positive indicators of compromise. They are actively searching for signs of hidden threats so that they can prevent or minimize damage. When threat hunting is done well, it can:
Improve the ability to uncover hidden threats:
- Improve security incident response time
- Reduce incident losses by detecting entrenched threats earlier
- Improve knowledge of the IT environment, including those hiding places frequented by new or emerging threats
- Reduce the attack surfaces resulting from discovered weaknesses
To summarize, the job of the cyber threat hunter is to both supplement and reinforce your preventative security systems. The threat hunter follows the evidence and makes connections informed by knowledge of your environment and the threat landscape to uncover the stealthiest of adversaries. In doing so, he unearths attack patterns, weaknesses in defenses, and architectural shortcomings, which the security team can subsequently use to improve the security defensive posture of the organization.
Learn more about how the Riverbed SteelCentral Advanced Security Module can help advance your cyber threat hunting capabilities.
1 TechRepublic, Nov 2017
2 Gartner, Shift Cybersecurity Investment to Detection and Response, 3 May 2017
3 Symantec, Internet Security Threat Report 2018