Go hunting to mitigate damage by taking action sooner
'Threat hunting' is not without its challenges, says Andrew Lam, senior security consultant at SecureData.
'Threat hunting' is where security is on the offence instead of the defence. Instead of waiting for an attack to trigger an alarm, threat hunting takes a holistic approach to proactively monitor for, and identify anomalous or potentially malicious activity, so the security team can take action sooner and mitigate, if not avoid, the damage.
Lam will present at ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
"Intelligence which has been seemingly assessed and curated from commercial threat feeds yields very few hits to start a point of search, because simple indicators such as known bad IP addresses or domains show very low percentage hit rates (about 2%) and these indictors are only relevant for a matter of days," says Lam.
Without continuous or automated searching, the likelihood of finding true threat indicators remains relatively low, and this requires investment in time and resources.
However, Lam believes it can be justified by looking in the gaps in existing security systems, such as measuring the time between a known vulnerability being exploited in the wild, to actual patching.
He says it is not always possible to remediate threats using internal processes or findings from penetration tests, so understanding these threats, and searching for indicators of them, will provide a degree of awareness and protection.
Moreover, he says the outcomes of threat hunting go beyond simply finding hackers on the network. "You may discover processes, configurations or vulnerabilities which can be acted upon to improve security."
Known attack vectors
Lam says frameworks such as MITRE ATT&CK, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, are formalising the process of threat hunting with explicit definitions of known attack vectors with clarity on where to search for threats.
"This information provides clear tools, techniques and procedures utilised by adversaries as well as linking them to known threat groups."
In addition, he says intelligence-sharing between peers is becoming common practice in companies in the same sector, which enables focused and targeted hunts. Also, standardised formats for transferring intelligence with greater resolution and controls are improving with STIX and TAXII standards developed in an effort to improve prevention and mitigation of cyber attacks. These standards are being implemented by a wide range of security information and event management (SIEM) and intelligence-sharing platforms.
"Threat intelligence platforms are now focusing on the human in the loop analysis, linking SIEM, intelligence management and remediation into a single dashboard to quickly ingest information, analyse and remediate by making configuration changes on security appliances," he adds.
"Data analytics is also improving and machine learning is assisting with categorising features of attacks and enabling more focused searches."
Finally, he says 'threat intelligence analyst' is becoming a profession in its own, with specific roles advertised as such in an increasing array of industries.
During his talk, 'Threat hunting: Seek and you might find', Lam will help delegates gain an understanding of risks and threats to their businesses and how threat hunting can assist with improving their security posture.