Stop waiting and start hunting

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/stop-waiting-and-start-hunting/article/471948/

As the old adage goes, “You have to think like a criminal to catch one.”

While cyber-security attacks are devastating enough on their own, what's
more worrying is that over two-thirds of businesses are notified of these
attacks by a third party as opposed to discovering it themselves.

Prevention is not enough

Relying on prevention is not a sound strategy for IT security in the 21st
century. What if there was someone working inside the organisation that
thought like a criminal but was actually fighting for the good guys? They
could not only prevent the damage from an attack but could greatly improve
detection and response times. This person is what is known to some
organisations in the IT security industry as a “threat hunter”.

What is a threat hunter?

The primary role of a threat hunter consists of looking for indicators of
compromise or the evidence of a breach. A threat hunter does this by
operating under the “attacker mentality” to find out what they would see or
what trails they would follow. In other words, it's all about businesses
staying one step ahead of the game to protect themselves from the all too
familiar and devastating consequences of a security breach.

There are many different ways threat hunters are being described in the
industry. A threat hunter sits within an active defence framework, however
many organisations don't approach their role from a framework perspective.
Threat hunting requires an organisation to allocate dedicated resources
towards this particular part of active defence.

Chances are if you work in IT security, you've probably heard the term
before.  With the potential of threat hunting to snare a cyber-attacker,
why isn't it something that's more widespread in the mainstream media? And,
why has the need for threat hunters arisen, and why is it growing?

Many security teams operate under the assumed breach mentality and attempt
to balance prevention and detection strategies. Businesses are beginning to
prioritise cyber-security after so many high profile attacks. A security
confidence survey by SolarWinds found that 84 percent of respondents
reported their organisations have experienced a significant attack, with 35
percent reporting that it took at least one month to discover the attack.
This further highlights the need for businesses to have the right security
practices in place. One part of a well-rounded security programme is to
implement a threat hunting capability.

What it takes

Organisations, who are employing threat hunters to join their IT security
teams, are looking for people who have a breadth of experiences. With
security, the more a person knows about the network, and applications and
servers, the better. Often there are multiple components involved in an
attack and they're not just restricted to the network. So, for example, if
a person has good network knowledge but doesn't understand the applications
then it could be difficult for them to identify that an attack has occurred
or is under way.

Benefits of threat hunters

The primary benefit of a threat hunter is pretty easy to see: if an
organisation can identify attacks while they are underway, they can prevent
any real damage from occurring and prevent future attacks. Some of the most
common gaps in a company's infrastructure that can cause the most damage
are:

·       Lack of good segmentation in the network
·       Overly permissive access permissions from trusted machines or
accounts
·       The use of insecure protocols
·       Lack of monitoring to provide automated detection and visibility

Generally speaking, the goal of the threat hunter is to quickly find
evidence of attacks to prevent damage to an organisation. So while an
attacker may have already breached the defences (passed the preventative
measures), they may not have actually stolen data, taken down systems, or
otherwise impacted the business. After they detect an attack, they can help
to mitigate the damage and the organisation can leverage their findings to
improve its preventative defences.

While a penetration tester looks for weaknesses in a company's systems, a
threat hunter looks for evidence of someone actively attacking those
systems. Both are equally important but serve very distinct purposes. Most
organisations will more than likely have regular penetration tests
scheduled before they add a full-time threat hunter to their team, but just
because a penetration tester discovers a hole in the defences, doesn't mean
anyone else has. A threat hunter can help answer that question, and is more
focused on what attacks have actually happened versus what could happen.
Allowing one dedicated individual to focus and pick up vulnerabilities so
IT security can be more effective at discovering an attack or breach before
they happen can be vital.

Challenges of threat hunters

With the benefits of threat hunters there are also some challenges. One of
the main challenges is hiring. Simply put, you need someone who has a vast
skillset and who is a self-starter. Furthermore, employing a threat hunter
isn't a realistic option for small or medium-sized businesses; they just
don't have the resources to devote one person to the role as other basic IT
functions would suffer. However, larger organisations may find it valuable
to have a threat hunter as part of their team.

Ultimately, it's down to businesses to see threat hunting as a valuable
skillset to have – because without it, attackers can move around your
infrastructure and nobody will know until it's too late. And we all know
how that story can end.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.