Taking the long view – why threat hunting should underpin strategic IT security

The US Navy SEALs have a well-known motto: “The only easy day was yesterday.” Taking a look at the latest intelligence on the UK cybersecurity landscape it can feel like we’re facing a future that will make the challenges of the past seem like halcyon days. Certainly, all the evidence indicates that the frequency, sophistication and severity of cyberattacks on UK businesses is rising exponentially. However, I believe that while we must accept that there’s no silver bullet for the constantly moving targets that are our cyber adversaries, we can start to build our strategy around proactive, not just reactive tactics, and use threat hunting to underpin our approach. By Rick McElroy, Security Strategist, Carbon Black.

  • 6 years ago Posted in

The latest Carbon Black UK Threat Report found that 92% of UK businesses had been breached in the past year, with 44% being breached multiple times. 82% reported seeing an escalating number of breaches and over a quarter of those said the number of attacks had increased by between 51% and 200%. 91% believed that attacks are becoming more sophisticated and, in another survey we ran, 64% of incident response professionals said they had seen attempts at secondary command and control and 46% found evidence of counter-incident response.

These figures show that cyber criminals are getting smarter and more persistent all the time - and they’re not just in it for a quick win. They’re playing the long game, seeking to establish a foothold in our networks in order to move laterally, island hop into to partner networks and launch future attacks to their own schedule. The Ponemon report on the cost of data security breaches found that on average infiltrators spend 191 days inside a network before they are detected.

While this is vastly undesirable, the fact that they’re already there gives us the opportunity to do more than simply playing a never-ending game of “whack-a-mole” at the network perimeter. We know that adversaries are inside our networks, so now we need to take a longer view and put some serious focus into hunting threats, anticipating potential attack vectors and making our network a less comfortable environment in which to exist over the long term.   

We asked UK security professionals about how they are using threat hunting as part of their armoury. Two thirds of respondents said that they had conducted threat hunting in the past year and of those, more than 90% confirmed that threat hunting had strengthened their defences. Clearly this is a tactic that some organisations are already using to good effect.

What makes effective threat hunting?

Turning the tables on adversaries and starting to proactively hunt threats needs a different mind and skillset to pureplay cyber defence. Instead of standing on the watchtower, we’re delving into the shadows seeking signs of malicious activity and using all the forensic intelligence we can gather to understand the motives and tactics of our opponents and anticipate where attacks may be initiated.

We recently held a series of discussions with SecOps professionals in the UK and Europe and asked whether they felt threat hunters were born, not made. Do successful threat hunters naturally think differently to the rest of us, or can the necessary skills and attitude be taught? The consensus was that undoubtedly some individuals have particular talent in this area, but that the overall shortage of cybersecurity professionals (there’ll be an estimated shortfall of 350,000 in Europe by 2022) means that empowering existing teams to develop threat hunting skills will be essential. I strongly believe that given the right tools, a clear brief and the freedom to roam, there’s no reason why the organisation can’t mobilise its whole security team to threat hunt effectively.

In fact, embedding a culture of threat hunting across the organisation is really more important than having individuals assigned to the case. We don’t want to create silos, we want to be sharing intelligence and spotting patterns that make us a smarter, harder target for cybercriminals. And that goes across the industry, too, not just within companies. The cybercriminal community is fantastic at sharing intelligence, tools, tactics and procedures, but here on the other side of the fence we don’t seem to be able to get past the silos of competition.

The numbers game – outspent by a factor of ten to one…

Going back to our research, UK companies told us that they were anticipating only a limited increase in security budget spend – two thirds were expecting to see budgets increase by between 10 and 30%. In the face of the escalating threat landscape this is concerningly modest. While the corporate environment is naturally lean when it comes to budgets, it’s important to keep track of what the competition is doing.

In this case the competition - cybercriminals - are throwing the kitchen sink at developing new methods of attack and, given that this is their core line of business, I guess that’s to be expected.  They’re spending around $1 trillion annually, against a global security spend of $96billion – a ratio of ten to one. It’s a profoundly unequal battle and it’s therefore not surprising that we’re seeing big increases in the number and severity of breaches. Assuming we’re unlikely to get a sudden budget injection on a $1 trillion kind of scale, we need to make sure every penny we spend on cybersecurity delivers solid ROI.

Investing in threat hunting is an important part of a maturing approach to strategic IT security. It demonstrates that your organisation is serious about lowering the amount of time adversaries spend in its network and limiting the risk to your partners from island hopping. As UK organisations are already finding, threat hunting strengthens defences and hardens attack vectors, so even if budgets are limited, I strongly recommend that threat hunting is on the menu. As an industry we need to get threat hunting working for us to start turning the tables on our adversaries. I’m not saying tomorrow will be easy, but we’ll be heading in the right direction if we start threat hunting today.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.