For years, security teams have dealt with cyber adversaries by sitting back and waiting for an alert or flashing dashboard light to tell them something is wrong. In today's threat environment, though, that kind of reactive stance won't do. Organizations need to be proactive against potential and existing threats to their networks.
An important driver behind the adoption of threat hunting programs is the realization that no wall—no matter how high or thick—is going to keep invaders off a network. It's finally dawning on organizations that addressing cyberattacks as they happen leaves them much too vulnerable. They have to wade into the network to see what's really going on.
Another powerful driver behind threat hunting adoption is dwell time—the time attackers remain hidden on the networks of an organization before they're discovered. While median dwell times have declined over the last decade, from 416 days in 2011 to 24 days in 2021, it remains a perplexing problem.
That's because the passive approach to countering threats has proved inadequate. If a security team just waits for a red light on the security dashboard, it's already too late to avert damage. Chances are the attackers have been on the network long enough to accomplish their mission. They have to be exposed long before that dashboard light turns red.
Nothing drove that point home more than the COVID-19 pandemic. Organizations went from "bring your own device" to "bring your own network." That increased the attack surface for many businesses, which in turn increased attacks. To deal with that, some organizations have begun setting up standalone, threat hunting groups outside their security operations centers.
As more companies see the benefit of having threat hunters, others will get on board with that approach. Here's why threat hunting is critical to your cyber-defense—and could even become a requirement for cyber insurance.
The view from the trenches
What kinds of threats do threat hunters find? Here are some real-life examples cited by Jason Wood, senior researcher for tactical intelligence at CrowdStrike, and Paul Reid, threat hunting lead at Interset, during a recent "fireside chat" that I hosted.
- An internal application at a financial institution that was used to upload financial information into a web app was misconfigured, so the data was transferred using HTTP, rather than the more secure HTTPS.
- Organizations had naked RDP and SMB connections on the Internet, which were favorite targets of the Dharma ransomware gang during the rush to get home workers connected to their offices.
- A domain administrator who installed the gaming app Steam on his home laptop gave it domain administrator privileges, so an attack on Steam would allow the attackers to get domain administrator credentials.
- A finance officer copied a payroll database to a USB stick to work with it at home.
- A point-of-sale system in North America was leveraged to scan machines in Hong Kong for SCADA devices and to extract employee information and location security plans.
- Free security software that works as advertised for most users installs a program called BCB Edit on domain administrators' machines. That program allows an external party to change the signing requirements for updates, so compromised versions of Windows can be pushed to the machine.
- Common security tools with cracked licenses were used to attack systems, and unusual Logmein connections were used to attack other organizations.
The path to success
So how do threat hunting advocates get the practice up and running within their organizations?
When trying to create a beachhead for threat hunting within an organization, it's important to produce some quick, visible wins. Those can be very persuasive in prodding an organization to expand a threat hunting program.
If an organization is just starting down the threat hunting path, those wins can be produced by existing security team members who show a willingness to dedicate a portion of their time every week to hunt for threats. That's not the ideal approach to the problem, but it allows team members to gain the knowledge they need about the inner workings of the organization and how adversaries are operating to create the wins that can be leveraged for more resources.
What must be conveyed to the organization is that threat hunting is a kind of insurance policy. When it takes care of a major issue—for example, escaping a crippling ransomware attack that would have put the company on the Top Stories page of Google News—the program more than pays for itself.
Another consideration when launching a threat hunting program is getting the right data. With data, volume is less important than quality. Data without valuable insights is noise, and noise obscures visibility, which is a necessity for a threat hunter.
The best data for threat hunters is that closest to the threat event. That's why endpoint data is typically the most valuable. It takes you to the battlefield. If threat hunters don't have the data they need when they're putting their program together, they've got to go out and get it.
When setting up a threat hunting program, it's important to be aware that when such initiatives include the monitoring of employee behavior, they may be challenged by the legal or human resources department. Real-time monitoring or recording of employee and third-party activity has the potential to seriously threaten privacy rights, so security teams need to tread carefully.
Add method to madness
Methodology is another important consideration when designing a threat hunting program. There are many methods for implementing a threat hunting program, but one that's gaining popularity is behavior-based. An organization establishes a baseline for behavior on its networks, then continually looks for events outside that baseline—behavioral anomalies—that could indicate threats to the network.
No matter what techniques an attacker uses on a system, some kind of normal behavior is going to change. By using a baseline model, you can identify those behaviors.
Whatever methodology you choose, it should enable your security team to identify threat actors during or before their reconnaissance phase—while they're trying to get the lay of the land within an organization or exploring ways to break into a system—so you can stop them before they cause any damage.
Methodology is also important for building a knowledge base of "lessons learned" so threat hunters can evolve their methods to keep pace with those of the threat actors.
Regardless of the methodology used to hunt threats, teams can benefit from diversity within their ranks. While it's good to have veteran threat hunters on a team, members with other disciplines—such as mail system administrators, sysadmins, network administrators, and network engineers—can also be invaluable
New attack targets emerge every day and can come from any direction. A team with diversified members will be more capable of dealing with the variety of threats thrown at its organization on a daily basis.
Once you've established a threat hunting program, your organization can go from reacting to attacks to proactively nipping threats in the bud before they blossom into major problems.
For more on this topic, replay my September Fireside Chat with Jason Wood, senior researcher for tactical intelligence at CrowdStrike, and Paul Reid, threat hunting lead at Interset.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.