Cyber Analytics Driven Threat Hunting

By: Tanmoy Saha, Solution Architect

Need for Shift in Cybersecurity Approach

Organizations are being asked at an increasing rate to innovate their operations and environment to enable expanded and more efficient services to their customers. The march towards Digital Transformation has led to embracing of initiatives such as Cloud Computing, IT Mobility, Internet of Things, Bring your Own Device. Many of these services require the enterprise connect to external stakeholders including customers, service providers, vendors, and regulators. Such integrations can expose organizations to a host of malicious attacks & breaches. Thus, with the emerging threat landscape, Security Operations Centers which rely primarily on prevention technologies, and rule & signature-based detection mechanisms, have been rendered ineffective. Organisations need to adopt smarter ways to tackle this problem.

One of the biggest challenges organizations are facing when it comes to threat detection and risk mitigation, is gaining visibility into their environment. Some of the key obstacles cited as contributing to a lack of visibility, are:

  • Knowing what to look for
  • Having the trained resources to perform the risk analysis
  • Knowing what key information to contextualize
  • Keeping current on new threats & vulnerabilities
  • Optimizing accuracy of alerts

What the Global CISO’s want to know

In wake of the above complex Cyber-security Threat landscape, the Enterprise CISO’s have these pertinent questions to ask:

  1. What is my real-time risk posture?
  2. Are users & machines “misbehaving” on my network?
  3. What is happening in my network?
  4. If I transition to Cloud services, how will I know if my network is compromised?
  5. Is a potential breach malicious or not?
  6. Is my security team efficient and focusing on the “right” things?

Threat Hunting as an Enabler

Threat Hunting becomes a key enabler to answer the above key questions. Hunting is a proactive and iterative approach to security. In essence, it is the process of looking for the traces of attackers (past and present) in your IT environment. The process helps find those traces before any alerts of their activities are generated by security devices. The typical objectives of Hunting are:

  • Maintain a continuous threat awareness
  • Hunt for unknown behavioral based anomalies
  • Analyze threat intelligence feeds and convert it into actionable tasks
  • Aid in providing input to monitoring team

Key Characteristics of Threat Hunting

Hunting has been called an analyst-centric process, which places personnel requirements above tool, process and dataset requirements. As much as it depends on the hunter’s advanced knowledge of the Enterprise Threat Landscape, it also depends on his Data Analysis skills. It is not about waiting for an alert or another signal; rather, it’s about going and looking for an intruder before any alerts are generated. Most experts agree that hunting is not about following the rules, but about a creative process and a loose methodology focused on outsmarting a skilled human attacker on the other side.

Value Threat Hunting Brings to an Organization
An Organization equipped with Threat Hunting is better enabled to uncover hidden and entrenched threats. It reduces the attack surface resulting from discovered and removed weaknesses, and allows for sweeping systems clean before a critical mission or business transaction. It paves the way to validate that the controls — both preventative and detective — are actually working, and no threat actors are entrenched in the environment.

Threat Hunting is a way to flip the age-old security maxim, “the defender needs to close all holes, but the attacker needs to just find one hole to get in.” Specifically, with hunting, an attacker’s sole mistake is likely to lead to their discovery and removal, while the defender can cast its net many times to find the mistake.

Commoditization of the IT services industry….really!
IoE: Is it real or just a figment of our imagination?