What to Take Away from the Threat Hunt

September 7, 2016 · steveverbanic · · Comments

Faced with ever more stealthy and insidious attacks, many organizations are pivoting away from reactive security approaches and toward more proactive strategies. One is threat hunting, an exercise in which security actively and aggressively intercepts, tracks and eliminates malicious programs and code before they can wreak havoc on the network. While the biggest benefit is in cutting off an attack before it causes widespread damage, threat hunting benefits organizations in a variety of other ways.

Reactive Cybersecurity Strategies Don’t Work

Threat hunting has come to the fore primarily because organizations realize traditional reactive approaches to security simply aren’t working. For example, Verizon’s most recent Data Breach Investigations Report found that days, if not weeks or months, still pass by on average before organizations become aware of a data breach. Even then, breaches are more likely to be discovered and reported by third parties or law enforcement vs. their own internal security staff.

This rise in hacker dwell time gives attackers far greater opportunities to study and compromise a network, leading to massive breaches. In Sony’s notorious data breach, for example, the hackers reportedly had access to Sony’s network for at least a year prior to discovery.

Why Threat Hunting?

With threat hunting, security staffers seek to reduce both dwell time and potential damage by proactively searching through networks and data to uncover threats that have been overlooked by traditional rule- or signature-based security wares.

Threat hunts focus on detecting indicators of compromise (IOCs) such as telltale signs that malware is communicating outside the network; or, anomalous user behaviors that are really tracks left by an attacker pivoting from one compromised machine to another. They then analyze a variety of system and security data to dive deeper to uncover the sources of these threats, many times detecting new attacks and eliminating them before they can gain a foothold. Some of the biggest benefits to the strategy include better:

  • Visibility into vulnerabilities. Threat hunting provides a clearer view of an organization’s cybersecurity weaknesses and how attackers are exploiting them, enabling IT to shore up holes that had previously gone unnoticed.
  • Threat detection. Instead of waiting for an attacker to trip an automated alarm, hunt teams uncover stealthy attacks that appear innocuous to most signature-based security tools.
  • Tool optimization. New IOCs uncovered in the hunt can be fed into firewalls, IDS/IPS and anti-malware tools to improve their detection capabilities.
  • Damage control: Because it discovers and eliminates threats earlier in the kill chain, attackers have less time and fewer opportunities to compromise critical resources and siphon off data.
  • Understanding of your threat profile: Uncovering previously unknown threats helps clarify who is targeting your network and why, helping you better focus resources.

Beyond technology, engaging in threat hunting can help security staffers’ careers. As they hunt down threats, they gain a better understanding of the business as a whole, how it works and what it values, giving them highly sought after expertise in both business and technology.

SLAIT is well-versed in threat hunting and can help you deploy advanced cybersecurity technologies that have the intelligence, stealth and performance capabilities required to detect, prevent and remove threats. Learn more about SLAIT’s threat hunting services and solutions!