As hackers become syndicates, it’s time to go threat hunting

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

The past six months have seen the cyber threat landscape worsen rapidly. Hospitals are under siege from ransomware, breaches are increasingly moving to mobile devices and there has been a successful attack against a public utility.

The cyber threats we face constitute a state of emergency, as attackers are pooling their efforts and establishing well-funded, organised crime syndicates. We are no longer fighting lone-wolf hackers working from basements. We are fighting an aggregate of organised attackers zeroing in on our data.

Defensive security postures are important – hardening systems, segmenting networks, reducing access and creating audit trails along the way – but they are not enough to protect critical assets against these motivated attacks. It’s time for the community to begin more aggressive detection of threats against our enterprises. It’s time to go hunting for threats and malicious activities.

‘Threat hunting’ is no marketing buzzword. It is an offensive posture and a culture that unites man and machine to go on search-and-destroy missions. It is not even a new strategy. Over time we came to rely on technology alone for detection, now we need to evolve. We must bring back the human element, the hunters – real people doing the spy work and scouring systems to find malicious code or a piece of malware that technology alone has failed to detect.

Threat hunting

With threat hunting, it is critical to accept the inevitability of compromise. This means embracing the roles of both fire marshal and police officer. As firefighters, we need to respond quickly when the alarm sounds but we can also play the police officer role, looking for crimes and getting to know the neighbourhood. Like any good crime hunter, we should be attempting to predict what designs and activities will create unsafe environments and lead to incidents.

Compromise is inevitable, so assuming the cyber-criminals will get in, we must accept the fact that our technology cannot detect 100 per cent of attacks. The gap between technology and perfection is where threat hunting is essential. Hunting hinges on people seeking and finding what is not being found through technology and automatic alerting.

What are we hunting?

A hunting ‘expedition’ does not have to result in finding advanced persistent threats (APTs) or malware to be considered successful. There are many potential outcomes.

The hunter is unleashing human creativity, instinct and analysis on data in an environment. He/she is freeing a team to explore and find their own leads and threads to pull, and putting them directly into the trenches.

What are the results if hunters are not finding evil? They will understand their environment better, nose out the gaps and see what needs more care and feeding. “Oh, that system’s logging is malfunctioning and has been for months?” Great, now we can fix it. Now we are safer. One of the main problems in security is deploy and decay – the lack of tuning and optimising technologies over time to keep up with the organic environment.

As teams hunt, they must embrace the blend of operations and intelligence, and actions must happen swiftly. A lead must be determined quickly to be a waste of time, otherwise too much time will be spent going down the wrong path. Hunting is open-ended, but lessons need to be learned. Whether IT prefers the OODA Loop, the F3EAD system from JSOC, or the Lean Startup Methodology, these analogies to quick, less-costly learning are highly applicable to hunting.

The time to hunt is now. It starts with visibility and involves humans. Hunting can be fun, as it allows creativity to flourish. So give your team that ‘Google 20 per cent time’ to hunt and then watch the detection rate improve. Take the lessons learned, feed those back into the system, and strive for continual improvement.

Carbon Black is a US-based data security vendor that is active in Australia and New Zealand.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersmarketingcyber criminalsdata securitythreat huntingmalicious activitiesransomwaremalwarePublic utilitiestechnology gapcyber threatsattackersAPTsbreaches

More about Carbon BlackGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place