Next Previous

Proactive threat hunting: Finding the problem before it finds you

8 March, 2017

Modern cybersecurity is one of the most Sisyphean of endeavors. By the time an organization patches one hole in its security, hackers have already found another. And so begins yet another retroactive attempt to respond to an attack and put new defenses in place. The game of Whac-A-Mole continues this way, with institutional security always seemingly one step behind the adversary. Such is the downfall of reactive cybersecurity. 

There's a better way: It's called threat hunting. The problem is that many organizations are not doing it, and according to the Ponemon Institute, a woeful 16 percent of managed security service providers supply this service for clients.

Be that as it may, organizations are starting to become savvier to the benefits of proactive threat hunting, which was actually an important theme at this year's RSA Conference. As the name suggests, this new tactical approach is all about scouting out a threat before it causes damage. 

The basics of threat hunting

In a recent Bright Talk webinar, Ross Phillips, security engineer at Arctic Wolf Networks, provided a high-level overview of threat hunting. He explained, for instance, that it all starts with network logs and events. This is sort of the traditional bedrock for security information and event management (SIEM), which supplies alerts based on its interpretation of the events. Of course, these alerts are multitudinous, and create more noise than the Fourth of July. 

To address this problem, security engineers are increasingly relying on automation methods – for instance, categorizing false alarms so they'll be excluded from the din of future alerts. Machine learning algorithms are also playing a role in sifting out the myriad false alarms and identifying alerts that can be further classified as actual "indicators of compromise" or IOCs. Ideally there should be a small number of IOCs. Security engineers such as Ross Phillips will manually evaluate these IOCs to determine if they are in fact indicative of mayhem. 

But again, not a lot of organizations are doing this successfully, and an insignificant portion of MSSPs are picking up the slack. 

Diving deeper

"The core aspect of threat hunting is IOCs."

"Threat hunting is the process or action of purposely setting out to identify, validate and mitigate incidents of compromise or potential areas of compromise that are already in your environment."

This is Ross Phillips' most basic definition of threat hunting, and it really revolves around IOCs. These can be likened to symptoms of a developing disease. Sometimes, the earliest signs are subtle. However, it's universally understood that the sooner you can detect a serious medical condition, the more effectively you can treat it. So the million-dollar question is, how do you sniff out those IOCs?

One of the main components is threat intelligence. A lot of this intel comes from open-source lists available on the web. This is all known information about threats. They provide a scent for the hounds to track, so to speak. The challenge here is that not all of these threats will necessarily be relevant to an organization's network. What's more, these lists are anything but precise. 

"You can't just download a list of threat intel and have it scan your network " Ross Phillips said. "You're going to get thousands of alerts and 99 percent of them will be false positives because you're just downloading the generic rule set."

In other words, these "rules" need to be refined. For context of how much revision is needed, 80 percent of the rule base he uses for clients is custom, versus 20 percent of which is straight from open source. It's not surprising then, that most people go to reactive threat detection. The theory behind it is so much simpler – when something breaks, just fix it, and while you're at it, beef up perimeter defenses a bit. 

Alas, this method is horribly inadequate, because it doesn't even try to address the elephant in the room – unknown cyberthreats. Ross Phillips put it best:  

"You can't prevent what you don't know about. You can only detect it."

You can't hit a target that you never knew was there.You can't hit a target that you never knew was there.

How to threat hunt with success

"Home in on the threat intel that actually matters to your organization."

Going beyond the deployment of firewalls and web filters and entering into the realm of proactive threat hunting may seem daunting at first, but it can all sort of be summarized as a constant vulnerability scan of the entire network. Granted the devil is in the details, and a lot about how well those scans perform will depend on the quality of threat intel and the competence of the analytics being used. To that end, Ross Phillips noted that the simplest place to start is to home in on the threat intel that actually matters to your organization. 

"Focus on what you know as far as what's internal to your business," Ross Phillips said. "If you're reading an article on the latest security threats for java and you don't have people using java, you're wasting your time."

Ross Phillips added that there are plenty of tools available on the internet to aid in hunting, and highly recommended Nmap Scripting Engine (NSE), which helps make it easy to automate, and also customize, certain network scripts.

There's one final hurdle to successful threat hunting, and it comes down to resources and expertise. Threat hunting must be a 24/7/365-endeavor that utilizes deep learning analytics and perpetually demands the expertise of talented security engineers. Intermittent vulnerability scans can certainly help, but these take time out of IT workers' days. Also, considering there can be billions of network events in a 24-hour period, the more time that elapses between scans, the greater the possibility that an IOC will fall through the cracks. After all, it only takes a few seconds for many strains of ransomware to begin encrypting critical data. 

To address this, businesses are starting to eye SOC-as-a-Service offerings that can guarantee threat hunting as part of their value proposition. Organizations may not have the internal resources needed to keep a spotlight patrolling the network, but there are cybersecurity firms that do, and will on a subscription pay model.

SOC-as-a-Service can provide the unwavering vigilance needed to hunt for threats effectively, which in today's cyberthreat landscape is absolutely essential.