Are South African enterprises looking at information security in the right way? Recent data breaches and ransomware attacks at organisations such as Portnet, the South African National Space Agency, the Department of Justice and TransUnion would suggest that many of us are not.
But this isn’t a failure of technology − it’s about the retroactive approach many companies are taking to cyber security.
Cyber security at most businesses is still largely shaped by vendor education about the newest tools, best practices and threats on their radar. It sounds good in theory. They’re the experts, eyeballs deep in the latest dangers and technologies 24 hours a day. How could you really go wrong by deploying, maintaining and managing the best tech they offer and following the practices they recommend?
But the snag is that vendors, too, are responding to new threat vectors as they emerge. As they become aware of a new piece of malware or a critical software vulnerability, they’ll come up with a solution. But the criminals are happy because they know there is some time between the vendor creating a solution for a zero-day threat or vulnerability and your business deploying it.
In the best case scenario, cyber criminals might have days or weeks to play with. In the real world, of course, admins can easily drop the ball about keeping your systems up to speed with the latest patches and downloads, as well as constantly updating policies to cater for new threats. Even in a well-run business, human negligence or error can open the doors to malware or hackers.
Threat hunting doesn’t replace traditional cyber security processes like incident response, but augments them.
Traditional endpoint and network defences will keep most attacks at bay. Yet in this age of heavy dependence on IT and data − as well as stringent regulation with severe consequences for breaches − they’re not enough.
Forward-thinking companies are not just defending themselves against known threats − they are seeking out the unknown dangers, too.
It’s called cyber threat hunting. This discipline is becoming essential because the cyber threat landscape has become so much more complex in a world of hybrid work and hybrid clouds. Hunting for security threats involves sniffing out traces of past and present attackers in the company’s network and applications.
Cyber threat hunting is about detecting and neutralising attacks that manage to slip past the rules and algorithms of automated defences. Tools like security information and event management (SIEM) and endpoint detection and response (EDR) are good at stopping known threats in their tracks. Threat hunting identifies advanced threats that are new or previously unknown.
It relies heavily on the skill and knowledge of human threat hunters, who have deep expertise and experience in finding, logging and counteracting threats before they can cause serious damage. These professionals will know how to identify patterns of suspicious activity that may indicate the presence of hidden malware, vulnerabilities or attacks that SIEM and EDR missed.
By offering visibility of the attack surface, threat hunting enables businesses to anticipate threats before they arise. In this systematic approach, the threat hunting team will look for digital signals that indicate possible adversarial behaviour on the network and track it back to the point of origin. They will be able to identify the problem, whether it’s misconfiguration or an unpatched system.
Threat hunters also look outside the company’s network to understand emerging threats. For instance, they will analyse which cyber crime syndicates are targeting the company’s industry or country, as well as the techniques they may apply. These steps not only offer immediate action points, but also inform long-term budgeting and planning.
Threat hunting doesn’t replace traditional cyber security processes like incident response, but augments them. It shouldn’t be confused with penetration testing − there’s more to it.
Penetration testing helps identify potential weaknesses, but it doesn’t offer a systemised approach to shifting towards a more proactive security culture and posture.
Many of South Africa’s top JSE-listed companies have already made substantial investments in cyber threat hunting. But given its reliance on scarce, expensive talent and the budgetary pressures that companies face, others are not treating it as a priority.
It’s a difficult nettle to grasp, especially for small to mid-sized businesses that don’t have a large IT and information security team.
A threat hunter offers a unique and rare blend of systems, security, data analysis and creative thinking skills. Building up this sort of talent isn’t a trivial undertaking.
There’s a shortage of these skills even in the systems integrator and service provider communities. As such, many businesses with smaller infosec and IT teams will need to look outside for access to these capabilities.
Whereas many internal teams are focused on operations − or day-to-day security management and firefighting − external resources can help with threat hunting. Threat hunters can complement operational systems and processes by using the data they generate. These signals help form a picture of the attack surface and actionable ways to strengthen security.
The most secure companies of the future will be those that understand the difference between passive cyber security administration and active cyber threat anticipation.
Investing in threat hunting can deliver a worthwhile return on investment by helping to significantly improve detection rates, and accelerate time to detect, investigate and remediate threats.
Share