Threat Hunting as an Active Defense

Introduction

The current reality is that numerous organizations don’t realize hackers have already compromised their systems. Today, enterprises routinely fail to detect attacks in an effective and timely manner. As a result, companies have had to suffer a massive loss in terms of penalties or compliance issues. Even governmental organizations are no exception.

In 2010, WikiLeaks revealed some 391,000 classified U.S. documents that helped incite the Arab Spring in Tunisia. This had been the biggest unauthorized revelation of classified data to date. While the shock has settled down, the grave repercussions of the leak were felt many years thereafter. But who actually was to blame for this act? A few months passed before an Army private who exploited his privileged access to the sensitive material was suspected to be the sole player. This incident could have been discovered much sooner through a technique called threat hunting.

Threat hunting is the process of repeatedly monitoring, detecting and isolating threats that are advanced enough to exploit the existing security solutions of networks. Other techniques, like attribution as an active defense, can also reduce the impacts of advanced threats and minimize the detection delta. In addition, tools like the molehunt and the web bug server can be utilized as an active defense in threat-hunting processes.

How is Detection Delta Critical for My Organization?

When it comes to detection of threats and adversaries, the time factor is a critical element to consider. “Detection delta” is the disparity of global median time between detection and compromise. The cybersecurity company FireEye issued an M-Trends 2017 Report which stated that the global median time (detection delta) from compromise to the discovery has been dropped from 146 days in 2015 to 99 days in 2016. Though significant decrease occurred, organizations often still remain oblivious of the breach (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/pEUxbhhkU9o/