Cyberthreat Hunting: When It’s Time to Go on the Offensive
Every day, the average organization records 200,000 pieces of security event data. The U.S. Department of Defense, particularly the Defense Information Services Agency (DISA), handles as many as 800 billion security incidents per day. Getting proactive about cyberthreat hunting is the new security imperative. Yet, a recent Ponemon Institute survey as reported by Infosecurity Magazine found that only 16 percent of managed security providers offer proactive threat hunting services.
Successful cyberthreat hunting seeks out emerging dangers and shuts them down before organizations incur damage from them. It’s not just about detecting more threats; it’s about getting in front of the ones that matter the most.
Patrol the Right Assets
Start by listing assets and incidents that, if carried out, would cause the most harm to your organization. Consider direct financial losses, such as lost revenue from a system crippled by a distributed denial-of-service (DDoS) attack; and indirect financial losses, such as lost sales associated with reputation damage and weakened customer trust.
In addition to preventing short-term losses, you should also actively hunt threats against your long-term moneymakers, such as intellectual property. It’s also important to prioritize vital infrastructure, such as the power grid, to prevent more widespread damage as well as potential injury and loss of life.
Identify Problem Behaviors
According to SANS, zero-day attacks have three primary goals: monitoring operations, theft of secrets and production disruption. Successful cyberthreat hunting means identifying zero-day exploits by their behaviors instead of waiting for signature detection to catch up.
Robert Bond of ThreatTrack Security, writing for LinkedIn Pulse, notes four key signs of an attack underway:
1. Unusual Behavior From Network Resources
These behaviors include connections from unusual locations or IP addresses, the sudden appearance of new services or a proliferation of unusual connections within the environment.
2. Suspicious Control Flow Data
Compromised machines often try to scan for and use services (particularly remote ones) they don’t normally access.
3. Unusual Data Transfers
When data is transferred to suspicious locations outside your network, or moved to an unusual place within it, it’s time to go on the hunt for potential threats.
4. Increasingly Sophisticated Attacks
Attacks that increase in complexity when they interact with your network are a sign that your organization is being targeted and probed. These threats are taking the time to learn about your security in order to penetrate it.
Automate as You Learn
Perimeter detection and threat intelligence tools are important for cyberthreat hunting, but they aren’t magical tools that will make threats disappear. Organizations waste an average of 21,000 hours and spend $1.3 million responding to false positives.
Even so, automated threat response can be a valuable time-saver when used correctly. Work with your managed security provider to analyze past and ongoing attacks, noting key warning signs and placing them in context. Prioritize those signals for automated response, and program your software to ignore irrelevant signals.
Incorporate Emerging Solutions
It’s impossible for human security analysts to consume all available security data. Eighty percent of the security information published each month — think 75,000 documented software vulnerabilities, 10,000 monthly security papers and 60,000 security blogs — consists of unstructured data for human consumption. Very little of this information can go into a feed and then be used by automated tools. That’s where emerging cognitive computing solutions can improve automation.
Through natural language processing and machine learning, cognitive solutions can build a corpus of knowledge consisting of past and present cyberthreat hunting data. Then, it interacts with human analysts to fine-tune its knowledge and uses predictive analytics to suggest possible remediation solutions. Cognitive computing could add monumental scale to cybersecurity efforts. Even without artificial intelligence, technologies like software-defined networking (SDN) help organizations automate threat responses, enabling them to add more and better security solutions to your portfolio.
Cyberthreat Hunting Success Isn’t Real Until You Prove It
According to a recent Ponemon Institute survey, organizations take an average of 170 days to discover attacks in progress. Then, they require 39 days to contain attacks and 43 days to remediate systems.
Return the investment for your cyberthreat hunting efforts by quantifying successes, such as shorter response, containment and repair times, and reduced financial losses. Using an anti-virus agent to find malware within a non-critical system is nice, but stopping a zero-day attack that could bring big financial losses is the ultimate win.