The past six months have seen the cyber threat landscape worsen rapidly. Hospitals are under siege from ransomware, breaches are increasingly moving to mobile devices and there has been a successful attack against a public utility.
The cyber threats we face constitute a state of emergency, as attackers are pooling their efforts and establishing well-funded, organised crime syndicates. We are no longer fighting lone-wolf hackers working from basements. We are fighting an aggregate of organised attackers zeroing in on our data.
Defensive security postures are important – hardening systems, segmenting networks, reducing access and creating audit trails along the way – but they are not enough to protect critical assets against these motivated attacks. It’s time for the community to begin more aggressive detection of threats against our enterprises. It’s time to go hunting for threats and malicious activities.
‘Threat hunting’ is no marketing buzzword. It is an offensive posture and a culture that unites man and machine to go on search-and-destroy missions. It is not even a new strategy. Over time we came to rely on technology alone for detection, now we need to evolve. We must bring back the human element, the hunters – real people doing the spy work and scouring systems to find malicious code or a piece of malware that technology alone has failed to detect.
With threat hunting, it is critical to accept the inevitability of compromise. This means embracing the roles of both fire marshal and police officer. As firefighters, we need to respond quickly when the alarm sounds but we can also play the police officer role, looking for crimes and getting to know the neighbourhood. Like any good crime hunter, we should be attempting to predict what designs and activities will create unsafe environments and lead to incidents.
Compromise is inevitable, so assuming the cyber-criminals will get in, we must accept the fact that our technology cannot detect 100 per cent of attacks. The gap between technology and perfection is where threat hunting is essential. Hunting hinges on people seeking and finding what is not being found through technology and automatic alerting.
What are we hunting?
A hunting ‘expedition’ does not have to result in finding advanced persistent threats (APTs) or malware to be considered successful. There are many potential outcomes.
The hunter is unleashing human creativity, instinct and analysis on data in an environment. He/she is freeing a team to explore and find their own leads and threads to pull, and putting them directly into the trenches.
What are the results if hunters are not finding evil? They will understand their environment better, nose out the gaps and see what needs more care and feeding. “Oh, that system’s logging is malfunctioning and has been for months?” Great, now we can fix it. Now we are safer. One of the main problems in security is deploy and decay – the lack of tuning and optimising technologies over time to keep up with the organic environment.
As teams hunt, they must embrace the blend of operations and intelligence, and actions must happen swiftly. A lead must be determined quickly to be a waste of time, otherwise too much time will be spent going down the wrong path. Hunting is open-ended, but lessons need to be learned. Whether IT prefers the OODA Loop, the F3EAD system from JSOC, or the Lean Startup Methodology, these analogies to quick, less-costly learning are highly applicable to hunting.
The time to hunt is now. It starts with visibility and involves humans. Hunting can be fun, as it allows creativity to flourish. So give your team that ‘Google 20 per cent time’ to hunt and then watch the detection rate improve. Take the lessons learned, feed those back into the system, and strive for continual improvement.
Carbon Black is a US-based data security vendor that is active in Australia and New Zealand.