With the volume and complexity of cyber-threats rising all the time, it has never been more important to have robust threat protection in place. Any cyber-security team worth its salt today should be proactively hunting for cyber-threats on a regular basis. Why? Because today's cyber-attacks are sophisticated, targeted and difficult to detect. Verizon's latest Data Breach Investigations Report shows that companies went an average of 200 days between the time they were breached and the day they discovered they had been. Proactively hunting for threats can drastically reduce this ‘detection deficit' and significantly limit the amount of damage done in the time before discovery.
Building an effective threat hunting programme takes time and effort. That said, there are a number of best practices that can enable security teams of all sizes and budgets to begin putting an effective programme in place:
Build an incident response plan
In many ways, a well-defined, formal incident response plan is really a prerequisite to threat hunting. Whether the organisation has a formal programme or some simple incident response procedures, it is imperative to have a prescriptive method of responding to events and alerts in a controlled manner. At the very least, this will help everyone avoid panic mode.
Use threat intelligence to your advantage…
No matter the size of your organisation or number of endpoints you're protecting, it's critical to leverage threat intelligence to assist in providing context to alerts and deploying indicators to security devices for preventing successful cyber-intrusions.
Depending on the available resources and budget an organisation has, it's relatively easy to stand up a threat intelligence database that can house Indicators of Compromise (IOC's), TTPs, and your malware samples for free. You can also use a tool called CIF (Collective Intelligence Framework) that will automate the process of pulling in threat feed data. It should also come with a number of sources installed out-of-the-box. Over time you will discover that some of the best threat intel is actually derived internally, from your own incidents.
…but know and respect its limitations
Successful cyber-threat hunters must appreciate both the value and the limitations of threat intelligence. Most organisations tend to have their own misconceptions or internal biases. Understanding these up front will help your security team avoid the pitfalls of wasted time and resources spent chasing down alerts or false positives that really don't matter.
It's important not to inundate yourself with too many threat intelligence feeds, otherwise the volume of data can become overwhelming, making it difficult to know where to start looking.
To know your adversaries, first know yourself (and your partners)
Never underestimate the importance of contextual knowledge. A detailed understanding of your own network security and that of third parties or partners will enable you to anticipate where attacks are most likely to come from. Pay particular attention to third parties whose security measures may not be as robust as your own. If compromised, they could provide a lateral path for attackers into your own system.
If budgets are tight, take advantage of free tools…
For organisations on a budget, there are a multitude of great open source tools available for log capture and analysis, host and memory forensics, reverse engineering malware and so on. For example, a cost effective SIEM alternative is to set up an ELK Stack – Elastic Search, Logstash and Kibana – all wrapped into one.
…but continuously build your business case for additional funding
If your team doesn't have adequate funding, make sure you are constantly leveraging each and every threat incident as an opportunity to build your business case. Go to management and say: “The breach or incident that just occurred was a result of lacking a more robust security programme with layered controls. In order to be more effective at detecting and preventing future attacks, we need A, B, and C”. In the face of tangible evidence, you'll likely see a swift change in attitude.
Remember that most attackers are creatures of habit
Maintaining profiles on known attackers and their preferred methods can help security teams to pre-empt future attacks and identify who was behind a successful intrusion. Many criminal groups leverage the same tactics every time, so prior knowledge of these tactics can be a powerful tool and act as an early warning system.
Threat hunting should be viewed as a commitment to take a more proactive approach to identifying cyber-threats to the organisation, and to act on those threats sooner, rather than simply waiting for an alert to go off. Proactively hunting cyber-threats is a great way to boost security efforts and help head-off attacks before they occur. It also significantly cuts the detention deficit between an attack occurring and it being discovered.
Contributed by Tim Bandos,director of cyber-security, Digital Guardian