Flipping the Script on Cyber Threats from Being the Hunted to the Hunter

Data is the new currency and cybercriminals have been incredibly successful at weaponizing tools, techniques and procedures to exploit corporate networks. We have seen this time and time again from Equifax and Home Depot to Uber and Sony PlayStation. These security breaches are not only a considerable expense but also damaging to corporate reputations. In most cases, by the time you react, the damage is already done. The only way to reverse this trend is to flip the script and become more proactive in hunting and mitigating cyber threats. 

Even if you build layers of strong walls and fencing to protect yourself from a home invasion, what happens when you intentionally invite an intruder into your living room? Will your alarm system go off?  Or will it stay silent and assume that you have an invited guest? This analogy is precisely how today’s cybercriminals operate.

It’s great to build walls of defense to protect your network from illegal entry but what if one of your employees visits the wrong website, opens up the wrong email, or even plugs in that mystery USB stick that was lying in the parking lot? What they are doing is unknowingly welcoming a criminal into the network by escorting them right through the front door. It is extremely rare in 2018 that an attacker penetrates a network by breaking down the front door to get in. Much more likely is the case where the adversary tricks the employee into executing a client-side attack (like opening the malicious email attachment) to gain a foothold in the network. Once through the door, the skilled adversary will blend into the noise of other users, working towards their objective.

Evolving Attacks

According to research from Cybersecurity Ventures, 44 percent of all current cyber threats are undetected by traditional security tools. The web is like the wild west; there are some rules but no defined boundaries. Unlike a home intruder, cybercriminals can maintain and control their foothold (i.e., the breached system) from anywhere in the world. And skilled adversaries can change their techniques within minutes to completely evade the security controls. There is no way that any one cybersecurity solution can stay ahead of criminals. Cybercrime is kinetic and demands a dynamic approach to protect networks. 

Today’s cybersecurity solutions are mostly automated and reactive with most larger companies investing in traditional Security Information and Event Management (SIEM) solutions. While these solutions are a necessary ingredient in a healthy corporate IT security posture, there is a fundamental reason why network breaches continue to occur under the watchful eyes of the SIEM. 

SIEMs do not consider most client-side attacks to be threats.

This is not really a flaw with the SIEM, but rather the systems and controls that feed security information to the SIEM. If your security controls do not identify client-side attacks as threats (and most don’t), then there will not be any alerts or alarms sent to the SIEM about these activities.

Enter Threat Hunting

If we are all being honest, we need to admit that cyber security controls are not 100% perfect and if an advanced persistent threat actor decides to focus on breaching your network, it is extremely likely that they will be successful, no matter how good your security is. 

Threat hunting takes the approach that you have likely already been breached and so it is the job of the hunter to detect and respond to the breach as fast as possible. This is a proactive philosophy that should be adopted and incorporated into every enterprise security posture. 

A great threat hunter is equipped with exceptional tools and a high degree of adversarial knowledge.  Equally important is the hunting ground itself (i.e., full-spectrum visibility of both the network and endpoints). A threat hunter cannot exclusively hunt in a sea of alerts because skilled adversaries don’t trip the alarm bells and produce the alerts in the first place (recall that client-side attacks are frequently ignored by security solutions).

A good threat hunter needs to be able to collect and process massive quantities of information. This information is obtained from the hunting ground (the network and the endpoints) and then utilizes human intuition coupled with powerful tools to provide insight into all this information. After slicing, dicing, sorting, measuring, grouping and analyzing the data; threat hunters hope that something bubbles up to the top and a hypothesis can be formulated. 

Sometimes these efforts can seem futile, similar to boiling the ocean of data in the attempt to make it fit into an eye-dropper so it can be actionable. However, the value of a skilled threat-hunting operation in your network cannot be overstated, because it’s not a matter of if your network will be compromised, but when. Today’s IT departments receive hundreds of thousands of alerts per day each day notifying them of a potential threat to their network, and it often becomes static noise that goes ignored, rendering the cybersecurity solution ineffective. Human-led cyber threat hunting provides an essential force multiplier for your cybersecurity team and will help get your lips above the water line when it comes to alert overload.