Stop waiting and start hunting

Mav Turner explains why threat hunting is a growing focus for IT security strategies.

Mav Turner, SolarWinds
Mav Turner, SolarWinds

As the old adage goes, “You have to think like a criminal to catch one.”

While cyber-security attacks are devastating enough on their own, what's more worrying is that over two-thirds of businesses are notified of these attacks by a third party as opposed to discovering it themselves.

Prevention is not enough

Relying on prevention is not a sound strategy for IT security in the 21st century. What if there was someone working inside the organisation that thought like a criminal but was actually fighting for the good guys? They could not only prevent the damage from an attack but could greatly improve detection and response times. This person is what is known to some organisations in the IT security industry as a “threat hunter”.

What is a threat hunter?

The primary role of a threat hunter consists of looking for indicators of compromise or the evidence of a breach. A threat hunter does this by operating under the “attacker mentality” to find out what they would see or what trails they would follow. In other words, it's all about businesses staying one step ahead of the game to protect themselves from the all too familiar and devastating consequences of a security breach.

There are many different ways threat hunters are being described in the industry. A threat hunter sits within an active defence framework, however many organisations don't approach their role from a framework perspective. Threat hunting requires an organisation to allocate dedicated resources towards this particular part of active defence.

Chances are if you work in IT security, you've probably heard the term before.  With the potential of threat hunting to snare a cyber-attacker, why isn't it something that's more widespread in the mainstream media? And, why has the need for threat hunters arisen, and why is it growing?

Many security teams operate under the assumed breach mentality and attempt to balance prevention and detection strategies. Businesses are beginning to prioritise cyber-security after so many high profile attacks. A security confidence survey by SolarWinds found that 84 percent of respondents reported their organisations have experienced a significant attack, with 35 percent reporting that it took at least one month to discover the attack. This further highlights the need for businesses to have the right security practices in place. One part of a well-rounded security programme is to implement a threat hunting capability.

What it takes

Organisations, who are employing threat hunters to join their IT security teams, are looking for people who have a breadth of experiences. With security, the more a person knows about the network, and applications and servers, the better. Often there are multiple components involved in an attack and they're not just restricted to the network. So, for example, if a person has good network knowledge but doesn't understand the applications then it could be difficult for them to identify that an attack has occurred or is under way.

Benefits of threat hunters

The primary benefit of a threat hunter is pretty easy to see: if an organisation can identify attacks while they are underway, they can prevent any real damage from occurring and prevent future attacks. Some of the most common gaps in a company's infrastructure that can cause the most damage are:

  • ·       Lack of good segmentation in the network
  • ·       Overly permissive access permissions from trusted machines or accounts
  • ·       The use of insecure protocols
  • ·       Lack of monitoring to provide automated detection and visibility

Generally speaking, the goal of the threat hunter is to quickly find evidence of attacks to prevent damage to an organisation. So while an attacker may have already breached the defences (passed the preventative measures), they may not have actually stolen data, taken down systems, or otherwise impacted the business. After they detect an attack, they can help to mitigate the damage and the organisation can leverage their findings to improve its preventative defences.

While a penetration tester looks for weaknesses in a company's systems, a threat hunter looks for evidence of someone actively attacking those systems. Both are equally important but serve very distinct purposes. Most organisations will more than likely have regular penetration tests scheduled before they add a full-time threat hunter to their team, but just because a penetration tester discovers a hole in the defences, doesn't mean anyone else has. A threat hunter can help answer that question, and is more focused on what attacks have actually happened versus what could happen. Allowing one dedicated individual to focus and pick up vulnerabilities so IT security can be more effective at discovering an attack or breach before they happen can be vital.

Challenges of threat hunters

With the benefits of threat hunters there are also some challenges. One of the main challenges is hiring. Simply put, you need someone who has a vast skillset and who is a self-starter. Furthermore, employing a threat hunter isn't a realistic option for small or medium-sized businesses; they just don't have the resources to devote one person to the role as other basic IT functions would suffer. However, larger organisations may find it valuable to have a threat hunter as part of their team.

Ultimately, it's down to businesses to see threat hunting as a valuable skillset to have – because without it, attackers can move around your infrastructure and nobody will know until it's too late. And we all know how that story can end.

Contributed by Mav Turner, SolarWinds