Threat hunting has suddenly become a hot topic
Recent articles in CSO and Dark Reading talking about it becoming a new trend, or as CSO suggests a fad. Truth is it’s a lot more than a fad – it can be your best chance of spotting and stopping a hidden attack before it causes catastrophic damage.
The history of threat hunting
Let’s take a step back and look at the basics of threat hunting for those who may be new to the concept. Dark Reading did a nice job of summing it up in an article entitled “’Threat Hunting’ On The Rise”:
“Rather than simply waiting for the inevitable data breach to happen, many organizations say they have begun more actively scouting around for and chasing down bad actors and malicious activity on their networks.
Unlike the usual security approaches, threat hunting — as some of the industry have taken to calling the trend — combines the use of threat intelligence, analytics, and security tools with old-fashioned human smarts.”
In fact, in response to the constant stream of new breaches, many in the security industry argue organizations should operate under the assumption that their respective networks will be penetrated if they aren’t already.
The concept of threat hunting may be new to the enterprise space, however, the U.S. Department of Defense adopted this premise several years ago. In response, they created hunt teams, which, at a basic level consisted of trained incident responders and analysts who proactively and iteratively search critical networks and/or historical log data for signs of a missed compromise.
While the DoD has long been reaping the rewards of threat hunting, enterprises are just starting to recognize the value. A recent SANS survey showed that 86% of organizations surveyed are interested in hunting, however, more than 40% do not have a formal threat hunting program in place.
Hunting without an expert
Why such as a large gap in enterprise adoption? In their respective articles, both CSO and Dark Reading suggest that threat hunting is still a very manual process and requires a great deal of expertise. While threat hunting has been marketed by some as a very intense process requiring high skill sets and detail oriented forensic analysts. This is simply due to a lack of automation and solutions tailored to the activity. An automated hunt workflow can multiply the effectiveness of an analyst by orders of magnitude, allowing a small team to cover an entire enterprise network with hundreds of thousands of nodes. Additionally, integrating existing detection and analysis technologies like threat intelligence databases and malware sandboxes will be beneficial.
Infocyte HUNT is specifically designed for this purpose. The technology was developed by former US Air Force cybersecurity officers who spent years hunting adversaries within some of the largest and most targeted defense networks in the world. This deep domain expertise was used to develop an automated process for threat hunting.
Infocyte HUNT makes it easy for a network operator or security team to hunt for threats on their own – no Ph.D. or specialized knowledge is required. The Infocyte HUNT agentless solution scans network endpoints to detect the post-intrusion activity, active or dormant, of attackers who have successfully evaded an organization’s real-time defenses and established a beachhead within the network. Dynamic threat scoring is used to flag the severity of an identified issue so users can take immediate action when a compromise is found. It reduces the breach detection gap – the time that exists between infection and discovery – denying attackers the ability to persist, restoring trust in a network’s health.
So Fad or Essential Cyber Security Tactic?
If you still think this is just a trend, here’s some numbers for you to consider. The SANS survey also revealed that:
“52% who have implemented threat-hunting programs have found previously undetected threats, 74% have reduced attack surfaces, and 59% enhanced speed and accuracy of response by using threat hunting.”
With numbers like that, it’s clear that threat hunting is here to stay and should be considered an essential tool for any company serious about stepping up their security posture. To learn more about the advantages of automated threat hunting read our white paper The Breach Detection Gap and Strategies to Close It.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »