Threat Hunting Enables Early Detection and Response
From recent ransomware attacks on meatpacking giant JBS and oil transporter Colonial Pipeline to the massive SolarWinds breach that rattled both the public and private sectors, disruptive, costly and headline-making cyberattacks are happening at an alarming rate.
Officials at the FBI compared the need to confront rising cyberthreats to the post-9/11 rush to respond to international terrorism. In response, the White House recently released a blunt open letter calling on American businesses to take more urgent security measures to protect against ransomware attacks.
Within enterprises, C-suite and boardroom executives are turning to their security teams and asking, “What do we do now?” and “How can we avoid such an attack?” Security teams must reexamine their defenses and ensure they have the resources in place to prevent a costly ransomware attack from hurting their business.
Lack of Resources
Perhaps the biggest vulnerability for most security teams is a lack of resources to effectively detect and respond to security threats before they become serious incidents. The average enterprise security team is dealing with 10,000 security alerts per day, if not more. In fact, the (ISC)² Cybersecurity Workforce Study estimates that the global cybersecurity workforce needs to grow 89% to effectively defend organizations’ critical assets.
Even the best security teams may suffer from tunnel vision, leading to vulnerabilities that savvy attackers may take advantage of. While the latest antivirus and endpoint detection and response solutions can help manage security alerts, even the most advanced technologies can miss signs or context.
Automated Versus Manual Threat Hunting
Threat hunting is the proactive search for suspicious activity and cyberthreats lurking in a network. Most threat hunting security services are automatic, meaning they rely on rules and machine learning to help identify anomalies within the network and flag concerns. However, this type of threat hunting is table stakes in today’s threat landscape.
To maintain vigilance, enterprises must go even further by leveraging external experts to conduct a threat hunt within their network. These experts bring specialized tools, expertise and perspectives that help uncover malware or suspicious behavior that might otherwise go undetected. External threat hunting teams identify patterns, relationships and other possible indicators that security controls may have been compromised.
Whenever a security system detects an anomaly in the network, a manual threat hunt should follow immediately to investigate the intrusion. A threat hunt can also provide independent validation that corrective actions have indeed been effective and there are no persistent or additional threats lurking in the network. Typically, manual threat hunts are more likely to detect attacks early in the cyber kill-chain, helping to prevent attackers from getting the chance to execute a ransomware component.
A Holistic Approach
Manual threat hunts should be done following a breach of a known partner or supplier, changes or upgrades to network firewalls, the deployment or upgrade of new applications in the enterprise environment or major personnel changes like a mass layoff or large shift to remote work. Conducting manual threat hunts on a regular basis, such as monthly, allows organizations to respond to threats quickly and cut off infected endpoints from the rest of the network.
Expert threat hunters can also provide remediation and risk and compliance recommendations to close gaps in security protocols and policies. Analysts can also help reduce event noise and false positives, allowing teams to focus on the alerts that represent the greatest risks.
A few other ways organizations can help mitigate the risk of a successful cyberattack include:
- Be sure all systems and applications are patched and up-to-date
- Consistently conduct internal and external vulnerability scans to manage risks to the network
- Monitor emails for suspicious messages and attachments
- Review enterprise backup and recovery programs to ensure continuity of critical systems and data
- Prohibit the use of macros on user machines
- Require all employees to complete security awareness training at least annually
In this new age of larger, more sophisticated and damaging cyberattacks, companies must be as smart as the attackers and heighten their defenses. Bringing in external expertise can help organizations eliminate blinds spots, protecting their organization from potential zero-day threats.
