The Hunter Or The Hunted? Cybersecurity Threat Hunting 101
October 19, 2016
William Ehgoetz, Herjavec Group Threat Hunter
To hunt successfully you must know your ground, your pack and your quarry.
- KJ Parker
As cybersecurity professionals, we are focused on both defensive, and offensive tactics to thwart cybercrime.
The following summary will outline one of the newest offensive strategies that Managed Services Providers and enterprises alike are employing: threat hunting.
President Barack Obama and the Department of Homeland Security (DHS) recognize October as National Cybersecurity Awareness Month (NCSAM). Now in its 13th year, this month is focused on increasing awareness about the importance of cybersecurity as well as personal and enterprise cyber hygiene. Herjavec Group is proud to be a NCSAM Champion!
As the threat landscape becomes increasingly more complicated and data breaches constitute a state of emergency, businesses are no longer facing lone-wolf hackers but organized crime syndicates.
Therefore, it is critical organizations take a proactive approach to security in addition to defensive security postures and go ‘hunting’ for possible threats, vulnerabilities, and malicious activity. Not just a buzzword, Threat Hunting is the process of “proactively and iteratively searching through datasets to detect and respond to threats that evade traditional security solutions using both manual and machine-assisted techniques” (Gartner, 2016). In other words, Threat Hunting is the unique combination of man and machine to search out and destroy potential cybersecurity threats.
Threat Hunting begins by wading through all of the data that crosses a company’s network in order to actively search for threats that may have slipped past the company’s first line of security defenses. You’re not looking for what your security devices have blocked or detected; you’re looking for what got through; And of that traffic, is there anything that is suspicious?
Threat Hunting is often confused with threat intelligence, which uses evidence-based research pertaining to known threats in order to detect their presence in a company’s environment. Therefore, hunting can often create threat intel but can also consume or use intel. For example, if a hunter finds a fresh, emerging threat, they can pass that information to the threat intel team in order for them to see if that same threat can be detected in another company’s environment.
In fact, Threat Hunters don’t just restrict their focus to network and communication data. They also look at people and threat actors, answering key questions such as:
- What are employees doing to influence certain business operations?
- Is there a leak of confidential information about employees or the corporation itself?
The process of Threat Hunting requires two essential tools: deep packet inspection (DPI) and visual analytics. DPI provides the Threat Hunter with the highest level of visibility by analyzing and categorizing every single piece of communication that happens on a network. Visual analytics, as the name suggests, takes what DPI produces and summarizes the data for better understanding.
Threat Hunters often spend a lot of time sorting through immense amounts of data in order to spot anomalous behavior. As such, much of Threat Hunting becomes about avoiding rabbit holes. Something can often appear out of place when in actuality it’s not, so Threat Hunters must be able to quickly determine if it is a lead worth pursuing.
This ability to distinguish between false leads and true threats comes with a mix of experience, understanding the underlying protocols and technology, and even an element of gut feeling. Threat Hunters must be comfortable with asking the Why? question – and they need to be able to provide answers as to why analytics are showing certain patterns. Aside from that, they must have an analytical and curiosity-laden mind with a deep understanding of the Internet and its protocols.
The most common patterns we see in the Threat Hunting business are threats via email (spear phishing), use of rogue devices, critical vulnerabilities (ones that can lead to heart bleeds), and home users connecting into corporate infrastructure via VPNs. An employee can log their corporate laptop into a possibly-malware infected network at home and then spread it into the work environment upon their return to the office, much like how a flu might spread.
So what happens when a threat is discovered? Well, first thing’s first: Hunters need to check, double-check, and triple-check that the threat is real. Threat Hunters spend most of their time discovering the risk of a potential compromise, but in the case of uncovering an actual compromise, the next step is to immediately initiate an approved security incident response procedure or potentially call in a response team.
That being said, adding the services of Threat Hunters may not be viable for every organization. Much of the value Threat Hunters can provide depends on a company’s maturity (i.e. their native ability to wade through the data to get rid of the extra rabbit holes). Since Threat Hunting can be akin to finding a needle in a haystack full of needles, mature organizations can help reduce the size of the haystack. Those that have seen success with Threat Hunting recognize that instead of focusing on what’s trying to get into their network, there is value in focusing on what’s trying to get out (i.e. data).
Corporations no longer have the luxury of wondering if a security incident will occur. Rather, it’s a matter of when they will happen within your organization, so it is crucial to ask yourself, “Are we set up to detect and respond in a timely manner?” The only way to ensure the best security posture possible is to embrace a combination of defensive and offensive tactics to deter cyber criminals; in other words, use human and artificial intelligence and start hunting.
Learn more abut Herjavec Group Threat Hunting Services by contacting a security specialist today.