‘Hunted’ to ‘Hunter’, Reactive to Proactive Security

Author: Nick Race, ANZ Country Manager, Arbor Networks

It is an unfortunate reality that attackers are becoming far more successful at stealing data and personal customer information from businesses around the world.

In October, we saw one of the most high profile examples – an attack on TalkTalk, resulting in an estimated 4 million customers affected.

Successfully securing our organisations seems to be getting more difficult, despite the new technologies that promise to help us defeat the latest attacks.

There are a number of reasons for this, but possibly the most important is that our adversaries are motivated, innovative people who in many cases have access to the same technologies we use to defend ourselves – allowing them to tune their tactics to evade those defences.

However, there are things we can do; for instance almost all attacks make use of one common resource – our networks – and therefore we should be able to detect and block them, if we are looking at the right things in the right way.

The problem is that in many cases our security resources tend to be bogged down in processing events – some of which are false positives and most of which don’t represent key risks to our critical business assets and processes. In short, we aren’t using our best asset – our security people – to their best effect.

We are trying to react to an ever-increasing number of events, rather than proactively looking for the threats that matter using the network as our viewpoint.

Don’t get me wrong, the reactive methodology does result in the identification and containment of many threats, but some still get through.

These are often the ones that are orchestrated to evade our existing solutions and processes; multi-stage, stealthy attacks with component parts that are designed to look innocuous.

This is where hunting comes in; hunting allows us to augment our reactive processes with a more focused proactive approach and utilises the intelligence and skill of the people within our security teams.

Along with data we already have on network and threat activity, to identify anomalous or suspicious communications that may warrant further investigation, it is simply a new entry point to our existing IR process.

So, how do we start hunting? Well the key is to know what ‘normal’ looks like for activity within a given environment. Humans are very good at pattern recognition, if we present data on network traffic and threat trends in a visual way then the people using the systems will become familiar with ‘normal’, and will, crucially, be able to identify changes when they happen.

To do this effectively though we need to be focused on the likely targets that attackers will go after.

The first step in hunting is identifying the data or processes of value to the organisation using the network, for example, online customer transactions, and the pathways attackers may take to reach these targets. What is key here is that we have to think like the attacker.

Some organisations will hold data that is not considered intrinsically valuable – but it may have a greater utility outside of the organisations, and may still therefore be a target.

Once we have identified these key assets, and the pathways to them, we need to familiarise ourselves with normal levels of activity as mentioned above. This will involve exploring the data that we have on what is going on. Although we may not find anything, but the process of looking will help us to identify anything unusual the next time we look.

We can also use intelligence to help focus our activities. If we have intelligence on a particular attack vector, or have previous incidents as a reference, then we can explore the data that we have to ensure nothing related is on-going.

All of the above though relies on one thing – the ability to visualise network and threat activity. The traditional ‘rows and columns’ view presented by security solutions doesn’t help us, and neither do solutions that take a long time to respond to queries. The ability to investigate and explore data visually at the speed of thought is key if we are going to enable our security teams to become more proactive.

Organisations need to turn the tables and become the hunters instead of the hunted. To achieve this, organisations need to become less reliant on technology to defend them. They also need to make better use of their best security assets – their people.

Using the network as a view-point – gathering traffic and threat activity information – and then visualising this data is key.

The process of exploring this information, if implemented correctly, is very engaging for security people and it can allow us to find threats that would otherwise slip through, reducing our business risk and enabling a more proactive security posture.

Join the CSO newsletter!

Error: Please check your email address.

Tags new technologieshackerspersonal informationattack vectordata theftattacksnetwork traffic assessmentsbusiness risksecurity breachHigh profilecyber threattargeted attacksTalkTalkdefence evasion

More about IR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Race

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place