Becoming the Hunter
Whilst a lot of security investment is often focused on Prevention, how do we take the fight to our opponent, the attacker? Short of Hacking Back, we can do a lot of proactive things that make a big impact on security.
In this article I will touch on some of the activities you can take to be prepared and proactive. These include:
Customisation and contextualisation of security - threat mapping
Active threat hunting
Let's expand on one of the items above, threat hunting.
What is threat hunting?
Threat Hunting is a form of active defence that seeks to minimise the amount of time that an attacker can spend in your environment before being found. In contrast to traditional preventative controls such as firewalls and antivirus products, Threat Hunting is the process of actively searching for and detecting threats which currently exist within the network and may be actively evading existing security capabilities and solutions.
Who can / should hunt?
Anyone can hunt. Whether hunting submarines, wild animals or truffles, success is usually based on a number of considerations:
Knowing the terrain (i.e. the business and technology environment)
Knowing what to do when you find your adversary (e.g. security incident response & digital forensics)
Understanding when the process is complete and environment is rendered safe once again (who can declare network, data or system integrity)
The question of whether you Should hunt will usually come down to availability of appropriately skilled resources.
What threats should be hunted?
In order to understand what threats should be hunted, the threat hunters must understand credible threats and threat actors, critical business objectives and assets and the existing security and other controls in place.
Even if the organisation is not an obvious target, it may be a critical part of a supply chain for others. So in considering threats TO the organisation, consideration should also be given to threats FROM the organisation.
It should be noted that threats can, and do evolve. One basic malware infection can become a network compromise, a ransom attack and ultimately a data breach.
As compromises often remain undetected for many months, consideration should also be given to the frequency of hunting activities.
How does threat hunting work?
One of my past articles outlines some of the processes involved. A high level overview of the process is below.
Do I need a dedicated threat hunting capability?
The question as to whether a dedicated threat hunting capability should be in place usually comes down to capability, capacity and cost.
Maintaining the skills and tools to perform threat hunting effectively without impacting security operations typically requires a very large security team. With overwhelmingly strong industry competition, attracting and retaining security talent has become increasingly challenging.
Having a wide variety of options to choose from, security practitioners are being constantly tempted to take on more lucrative and sexier roles.
This represents both a risk and an opportunity. For organisations with mature security capability, backfill and training of less experienced talent, and up-skilling internal key resources can provide a more interesting and dynamic role for the experienced security expert.
This does however come at a cost and many organisations still either:
do not understand (or see the immediate value) in threat hunting
do not understand (or cannot adequately quantify) the risks that threat hunting helps to mitigate
have other, more immediate operational security imperatives and are still operating in a reactive mode
leverage external services to obtain threat hunting on a periodic basis
If you would like to discuss how we can assist you to hunt threats within your environment get in touch.
Author: Clinton Smith