A CISO's Perspective - Threat Hunting

Protected is different for every business; each organization has its own set of security concerns. Also, the amount of security data available is massive, and to thoroughly understand and respond to the threat; it is essential to effectively measure and analyze the depth of data.

To make the situation worse, the attack surfaces have increased tremendously, the attacks have become very sophisticated and highly targeted, and the number of breaches has grown significantly. Traditional technologies such as firewalls, intrusion detection, and prevention systems (IDS/IPS), antivirus and endpoint solutions, etc., are not able to detect and block advanced cyberattacks.

Now, organizations can no longer afford to be reactive when it comes to cybersecurity management. Instead of relying heavily on alert-driven incident response, organizations need to tackle today's threat landscape with modern solutions that apply threat visibility and intelligence and answer who, what, when, how, and why of a threat.

• Who are the attackers interested in your assets?
• Why are they interested? Intellectual property, patent data, PII, etc.
• What is their motivation? Financial gains, reputation damage, espionage, etc.
• When can they target your organization?
• How can they target you? What TTPs may they use?

As threats will inevitably evolve, organizations should use intelligent solutions to build the proper defensive strategy to better prepare and protect against imminent cyber-attacks. With cyber threat intelligence, the organization must stay ahead of attackers and counter cyber threats in a realistic and focused manner.

Cyber threat intelligence is evidence-based knowledge about threat actors, motivations, intentions, attack vectors, and targets. It covers the latest attacks and adversaries and provides a means for CISOs to build a cyber-resilient environment.

There are two classes of threat intelligence: strategic and tactical.

• Strategic threat intelligence provides insights into cyber risks by attributing threat actors, their intentions, background, interests, goals, capabilities, tools, and techniques. It allows CISOs to portrait an accurate picture of risk to the business for executives and board members.
• Tactical intelligence enables SOCs to proactively respond to cyber threats by removing/reducing false positives and alert fatigues. It often consists of indicators of compromises (IoCs), such as IPs, domains, URLs, hashes, etc., that help security analysts quickly and effectively analyze complex attacks.

Threat intelligence will guide security analysts to detect, triage, and investigate threats. However, for the intelligence initiative to become successful, CISOs need to assess the effectiveness of the threat feed by considering various factors such as:

• Data needs to be correct, meaning it should be validated, refined, and removed when not required.
• Indicators need to be received on time and from reliable sources. 
• Threat feed needs to provide contextual information about threat actors, type, motivations, intentions, history, attack vectors, and targets.
• Threat intelligence indicators should be relevant to the organization and cover adversaries that target such organizations.
• Avoid deploying too many indicators of compromise as it could impact the security controls' performance and contribute to increased alert fatigue.

It has become vital for CISOs to embrace cyber threat intelligence and bake it in their processes to accelerate the response and contain the damage.

Some key benefits to using threat intelligence are as follows:

Automate Defense and Block Threats

It's not the attack but the response that matters. So, reducing the time to contain an incident is critical.

If an organization understands the capabilities of attackers, it can prepare its defenses accordingly. With cyber threat intelligence, organizations can greatly limit an attack's impact through quick and automated identification, response, and remediation of threats.

Here, cyber threat intelligence systems can leverage various advanced and AI-powered tools such as SIEM, SOAR, UEBA, Breach and Attack Simulation (BAS), etc., deployed in an organization to take prompt, proactive action to permanently block detected threats. 

Attackers are persistent and will continue to attack their target until they are successful. Integration of threat intelligence ensures that they can't use the same exploit repeatedly. Threat intelligence, within minutes, prevents minor incursions from resulting in complete compromises.

Threat Hunting

Threat hunting is a proactive security exercise to find out attackers that have bypassed an organization's security controls, have penetrated networks, and would otherwise remain undetected. With threat hunting, the organization takes a step to actively hunt for signs of attackers that are missed by automated, preventative, and detective controls and shuts them down before they can do any harm.

In its quest to venture into the unknown and explore the data to look for patterns of malicious behaviors, threat intelligence plays a critical role. Threat hunting can leverage threat intelligence platforms for ingesting, enriching, and updating the confidence score on previously collected data to identify and categorize potential threats in advance of the attack.

Vulnerability Management

Vulnerability management is a process to find and fix security vulnerabilities, counter new security threats, and make the environment less susceptible to attack. It prioritizes vulnerabilities based on severity score, which is much less than what is required in the mitigation process.

Threat intelligence identifies the vulnerabilities that pose an actual risk to an organization. So, the use of threat intelligence can improve the accuracy and speeds of remediation of security vulnerabilities by combining scan results and contextual data about the TTPs of threat actors.

Analyze Risk and Guide Business Decisions

Management is ultimately responsible for practicing due care and due diligence; however, CISOs are the ones responsible for educating management about the ever-evolving threats, cyberattacks, risk of a breach, and the support required from management to build cyber-resilient infrastructure.

To effectively do so, CISOs must be able to visualize a real-time picture of the latest threats, trends, and events. And, with so many security tools influencing the highly interconnected business ecosystem, it could be overwhelming for CISOs to focus on critical areas and make security decisions.

At this time, threat intelligence comes with great support. Threat intelligence can help map the threat landscape, calculate and prioritize risk, and give security analysts insights to make better decisions. 

With threat intelligence, CISOs can analyze the vast amount of contextual information about new and emerging threat actors and the assets/organizations they target. This helps to identify the threat landscape, trends of cyberattacks, make risk-based decisions, appraise the board/senior management of the security scenario, and justify investments in defensive measures.

Counter Intelligence 

Sometimes human intelligence can't be beaten, understanding your advisory, just having that counter-intel.. 'old school' Counter Intel could be utilized to mitigate the threat of an insider threat or a bad actor that is willing to harm your business.