A CISO's Perspective - Threat Hunting

As cyberattacks have become more sophisticated and pervasive, it is not a matter of “if” but “when” an organization comes under such attacks. In this essence, it has become essential for an organization to operate under the “assume breach” mindset and hunt for attackers lurking inside the network.

Threat hunting is an analyst-centric and proactive security exercise to find out attackers that have bypassed an organization’s security controls, have penetrated networks, and would otherwise remain undetected. It is a deep and focused work that forms and tests a hypothesis and depends on a wide range of tools to allow analysts to go beyond what is already known.

With threat hunting, the organization takes a step to actively hunt for signs of attackers missed by automated, preventative, and detective controls and shuts them down before they can do any harm.

Traditionally, investigations and responses were driven from alerts triggered when known malicious activity was detected. However, in an organization, security analysts are entirely inundated with alerts. According to the report, 41% of the organization receive more than 10,000 alerts in a day. Such a high volume of alerts creates a challenge in the investigation and response process, which has resulted in massive exposure.

While cyber threat actors are highly skilled with a litany of tools at their disposal, the organization’s eco-system is getting vastly interconnected and has become increasingly complex to manage. Today, it is difficult for an organization to fully visualize every aspect of a network, even with the most cutting-edge technologies. As a result, a complex and porous IT stack has opened a door for lots of opportunities for attackers.

According to the report, organizations take about 197 days to detect a breach and 69 days to contain it. Therefore, it is high time for an organization to venture into the unknown and explore the data to look for patterns of behaviors missed by monitoring tools and thwart the attackers before they succeed.

If your organization is targeted by persistent and stealthy advanced threats, then you need to incorporate the threat hunting program. It gives CISOs a better understanding of their infrastructure and vulnerabilities, which can collectively be used to improve the security posture of the organization. However, for the hunting exercise to be successful, certain key elements need to be considered.

Key elements in threat hunting

Management support: As management is ultimately responsible for the security and for practicing due care and due diligence, get the management buy-in. 

It is essential to educate management about the cyberattacks, risk of a breach, the need for threat hunting to build cyber-resilient infrastructure, and the support CISO requires toward establishing the threat hunting culture.

Scoping and planning: For threat hunting to be successful, it needs to be carefully planned. For this, it is crucial to define objectives and scope, identify goals, and allocate time for the hunt. When the hunting exercise is complete, assess steps to create a resilient security posture and create security playbooks to address those issues if they were to occur.

Right use of skilled resources: Threat hunting is a creative process focused on matching or even outsmarting highly trained attackers. So, threat hunters need not only be smart enough to use the right tactical tools but should also possess keen senses and creativity to stand against the attackers.

Thus, uniquely skilled security analysts are at the core of the threat hunting process. They blend security, systems, networks, data analysis, and creative thinking skills to understand the tactics, techniques, and procedures (TTPs) used by cybercriminals.

Right data: Data is key to threat hunting. If you can’t clearly visualize activities on your network, then responding to it becomes impossible. So, ensure selective and adequate logging is enabled to carry out the hunt. As gathering irrelevant logs will further create a problem during the hunt, ensure that the noisy and unwanted events are filtered out from the source.

Right tools: While highly skilled analysts are key to the hunting process, tools are essential for an effective and efficient hunt. So, utilize advanced and AI-powered tools such as SIEM, SOAR, UEBA, IDS/IPS, Breach and Attack Simulator (BAS), EDR, NDR, XDR, Threat Intelligence, etc., that makes the hunting exercise easier and faster. These tools provide support and allow analysts to take action on any threats identifying during threat hunting.

Right use of threat models: While there are no fixed sets of rules in the threat hunting process, there are various models that can be used to study and classify attacker’s techniques and understand their intent. Using the right sets of models will definitely ease the hunting exercise and can be used to enhance, analyze, and test the process. Some of the models that can be utilized in the process include Mitre Att&ck, Cyber Kill Chain, the Diamond Model, etc.

Lesson learned: Even with the best tools, it is impossible to uncover everything. At times it is less about finding a threat but seeing if there are any lessons to be learned and identifying areas for improvements. Threat hunting might uncover various weaknesses within an organization, such as misconfigured servers, out-of-date applications, compliance violations, etc. Analysts need to take these findings and apply appropriate countermeasures to mitigate the vulnerabilities. On the top, these findings need to be converted to alerts and playbooks to notify administration or automatically handle cases when they occur in the future.

Conclusion

Proactive threat detection can strengthen an organization’s security posture significantly. And with attackers hiding in the shadows for months, threat hunting is becoming an essential element of security.