NCSAM, part 5: How to Build a Hunting Team With a Small Security Team

October 27, 2016 Arctic Wolf Networks


What better time to talk about cyberthreat hunting than during week five of National Cybersecurity Awareness Month?

Each week, we’ve posted an article in observance of the various themes for NCSAM, and this week’s motif is “Building Resilience in Critical Infrastructure.” In light of several attacks on critical infrastructure (one involving ransomware in Michigan, and another in Ukraine that resulted in a power outage for 225,000 people, it’s clear that having a strong security posture will be more important than ever for utilities and energy companies in the coming years.

One of the most important places to start in this endeavor is with cyberthreat detection, and more specifically, cyberthreat hunting.

What is cyberthreat hunting?

“Monthly, weekly and even daily penetration tests just aren’t enough.”

On a superficial level, hunting is exactly what it sounds like: a proactive search for cyberthreats in your organization’s network. But upon closer examination, we learn that there is a lot to this feat.

According to DarkReading contributor David J. Bianco, “hunting is not an automated process.” In fact, it actually requires a concerted effort that’s backed up by a strong understanding of the cyberthreat landscape and security infrastructure.

“A savvy hunter understands that the attackers can accomplish their goals in many ways and examines the data from several viewpoints to compensate,” Bianco wrote.

What’s more, hunting isn’t like penetration testing. Pen tests are certainly part of the equation; however, these assessments aren’t usually 24/7 endeavors, and hacking is.

The hunt, on the other hand, never ends – or at least it shouldn’t. This is especially true in critical infrastructure, where monthly, weekly and even daily penetration tests just aren’t enough when so much is at stake.


Challenges, solutions and rewards of hunting

Many organizations struggle with hunting for the simple reason that they have small security teams, or at least a security team that isn’t capable of supplying the 24/7/365 threat-seeking capabilities that are necessary for protecting something as important as critical infrastructure. The fact is, managing SIEM the right way requires, as Bianco has illustrated, proactive application of human security expertise. Data analytics certainly plays a big role in this endeavor, and it helps weed out threats, but a human hand at the helm is just as important.

So what are your options? Bringing on an entirely new security team and investing in SIEM isn’t exactly economical. You could outsource everything to a security operation center, but that’s not ideal for organizations that need to be actively included in these endeavors.

Interestingly, this isn’t an issue that’s unique to critical infrastructure. Health care, finance, law and other compliant industries need to at least have a finger on the trigger, so to speak. This requirement has led to the growth of an entirely new market in recent months called managed detection and response (MDR). The benefit that MDR has over SIEM, SOC and MSSPs is that it supplies “hunting” experts to clients who can manage a SOC, but who also work directly with your internal security team to make sure they’re still the ones calling the shots.

So, in a lot of ways, MDR acts as a spotter in your cyberthreat hunting endeavors – and for assets as essential as critical infrastructure, that goes a long way.


Previous Article
MDR, MSSP and SIEM: A Primer
MDR, MSSP and SIEM: A Primer

Next Article
NCSAM, part 4: Build Better ‘Apptitude’ With These 4 Application Security Tips

In observance of week four of NCSAM, here are four tips that will help you strengthen your application secu...


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!