No matter how hard we try to prevent data breaches, it seems like they’ve become an inevitable part of our lives. Threat actors work hard to create the next sophisticated attack that exploits vulnerabilities we didn’t know existed, so it’s only a matter of time before we experience the next headline-grabbing data breach.
However, attacks certainly aren’t limited to exposure of consumer credit information. Critical infrastructure, governments, and political campaigns are equally at risk, and alarmingly, some organizations may not even know that the attackers targeting them may be lurking in their networks already.
Threat hunting, or the proactive search for points of exposure and unknown vulnerabilities, is emerging as a leading way to keep ahead of these hidden attacks, or ones that unfold slowly over long periods of time. In a recent SANS survey, half of the respondents said they hunt for threats at least on an ad-hoc basis, and of those, 91% say they’ve reduced their overall exposure. Those numbers are promising, but what about the other half of respondents who aren’t doing any threat hunting at all, or who don’t know where to start?
Getting a threat hunting function set up within a security team isn’t easy. It takes a lot of planning, requires finding skilled and dedicated professionals, and implementing security solutions that help them succeed. With the right people, processes, and technology in place, you’re in a better position to ensure your security team members are on their way to becoming effective threat hunters.
Educate, Evangelize, and Enlighten
It probably comes as no surprise to your colleagues that your organization has a team dedicated to cyber threat response. They’re probably less familiar with proactive threat hunting, or the process of testing complex hypotheses to prove or disprove a threat is lurking in your network.
Ensure everyone in your organization understands the important function threat hunters perform, and how it benefits the business. Take a top-down approach so your executive staff understands why building out a threat hunting function is necessary so they’re ready to support the team. Educate groups within your organization so that they too understand how they can benefit from having a threat hunting team.
For example, departments that handle sensitive business documents, financial information, and intellectual property, can benefit from increased security. And everyone in the organization can benefit from hypothesis testing that highlight gaps in technology, or business processes that are exposing the business to potential threats.
Help Analysts Become Threat Hunters
Security professionals know they are in high demand and are interested in developing new skills that increase their marketability. Your security team managers should keep their eyes open for junior analysts who exhibit interest or capacity to become threat hunters. Encourage senior security staff to share their knowledge with these analysts, and help them improve their intuition and investigative mindset.
Upskilling analysts into threat hunters also helps improve job satisfaction because the work is more challenging than performing the less exciting or repetitive tasks associated with investigating the thousands of spurious alarms generated by most threat detection systems. In turn, that benefits your organization because it improves your chances that you’ll be able to retain valuable security staff, which is important since replacing that talent isn’t easy.
Keep Threat Hunters Focused
Your team will be most successful if it’s staffed by dedicated resources who can remain focused on threat hunting, not generalists who also do detection and response. Make sure the products in your security stack are working together so that your threats hunters have well-rounded security context that helps them become more effective at their jobs. Products like IDS, SIEM, firewalls, and endpoint security should work together, sharing information that helps automate detection and mitigation so that your threat hunting analysts don’t become bogged down with the mundane work of incident investigations.
Also, make sure the data and analysis from these products gets fed into a unified body of correlated forensic evidence to provide better context, and that it's retained for periods of time that are longer than breach detection windows. Having this information available in one place helps keep threat hunters focused on threat hunting instead of having to pull in data from different siloed systems in order to do their jobs.
Unbound Yourself With the Cloud
If you’re collecting the right data for the right amount of time, that likely means you’re managing a considerable volume of data. It’s not practical, cost-effective, or scalable to store that information in on-premises hardware that also doesn’t provide the computing power necessary to perform a thorough analysis.
Cloud storage costs pennies on the dollar, and the cost of cloud computing is far less than building out and maintaining your own data center. With costs and scalability no longer a concern, your analysts can threat hunt in ways not possible with legacy solutions. The Cloud can store full-fidelity PCAP data for as long as needed which enables the hunt for threats that may have started affecting your network months or years ago. The unlimited computing power of the Cloud also allows threat hunters to build and test complex theories on massive amounts of data quickly.
Without the storage capacity and computing limitations of legacy on-premises security products, data from multiple products in your security stack can be analyzed and correlated, giving threat hunters a more contextual understanding of security events and threat observations on their networks. So instead of only seeing that an event happened at a specific point in time without any additional context, threat hunters can get a 360-degree view of the network segments, users, devices, and even external parties involved.
Start Building Your Threat Hunting Team Today
If you know data breaches are inevitable, and that threat hunting is a proven way to help reduce risk, then it’s only logical that you don’t want to be part of the 50% who aren’t threat hunting already. Security gaps exist, even in the most heavily fortified security defenses, and there are even some threat actors who make a business out of advertising these gaps before you can protect yourself. By upskilling your staff, implementing the right tools, and adhering to a few best practices, threat hunting can help your organization take a more proactive stance against cyber threats.
Next blog post