Hunt or be hunted
Identifying potential threats before they strike is key to staying one step ahead of cyber criminals.
It's no longer sufficient for companies to react efficiently and effectively to cyber criminal attacks on their businesses. Handre van der Merwe, information security specialist at BUI, says: "Organisations are constantly being exposed to new and evolving cyber threats, which can become overwhelming for the average business's IT staff to manage. We're seeing a proactive shift towards threat hunting as a security practice, which is going to place even more pressure on IT departments."
Threat hunting, also referred to as hacker hunting, is a function of the security operations centre (SOC) and entails the use of tools to detect anomalous or adversary activity.
A 2017 survey by the Information Security Community on LinkedIn revealed 55% of those surveyed felt that early detection of online, hidden and emerging threats was the biggest challenge they faced, while 43% identified a lack of security skills as a challenge to implementing proactive threat hunting. The survey said 40% of organisations were using threat-hunting platforms, with an increasing number of businesses starting to see the value of this proactive approach to cyber crime and employing dedicated security professionals to scour and look for vulnerabilities.
Threat hunting goes beyond just scanning the organisation's network for unusual activity. By knowing which threats are out there across geographical regions and industries, it's possible to devise better ways to respond to attacks. The aim is to identify potential threats, then notify, issue alerts and enable businesses to take proactive measures.
By hunting for and uncovering attack vectors that can potentially lead to broader exploits, businesses can learn from these and increase their protection, says Van der Merwe.
There are three basic approaches to threat hunting:
1. Analytics-driven: this is where the SOC runs analytics against typical user and entity behaviour. Tools are deployed that look for anomalous behaviour, where a deviation from normal behaviour is identified an alert is issued.
2. Intelligence driven: this approach is fuelled by collating threat intelligence reports and feeds from different sources, providing an aggregated view from global sources as to what's happening around the world, and issuing alerts accordingly.
3. Situational awareness driven: the company's overall security posture needs to become more proactive. Also referred to as Crown Jewels Analysis, it looks at the IT assets that are most critical to the business, takes into account the company's trends, where the pitfalls are, even industry-related factors such as compliance, and identifies potential pitfalls and weaknesses.
The fundamental goal is to reduce your company's exposure to external threats, improve the accuracy of its threat response and reduce the number and extent of breaches. The biggest barrier to a company implementing threat hunting as a strategy is budget, says Van der Merwe, while access to skilled IT professionals who are familiar with threat management and who form part of a proper SOC can also prove challenging. "Most organisations have fewer than five security professionals dedicated to threat hunting," he says.
Van der Merwe says a major concern for organisations implementing threat hunting are concerns around time and resource allocation: "How much time do you spend on something like this and what resources do you allocate? It all comes down to skills, budget and available platforms." He says businesses have two choices: they can either outsource a portion of the risk, or just accept that the risk is out there and hope for the best.
However, he's clearly a strong advocate of being proactive, saying: "Organisations can't just stick their heads in the sand and hope that they never get hacked. Regardless of the size of the business, a proactive approach to security is the only way forward."