If you were to come home and find a broken window, what would you do? Would you simply get someone to patch up your window and then go about your day? If you're like me, you would absolutely freak out - SOMEONE was in my house!!!
I would carefully go from room to room like I’m on SEAL Team 6, making sure that nobody is still in the house. This is because the greatest threat to my safety is a hidden intruder that may be still be cuddled up against winter jackets in the closet.
In the IT world, the absolute, number one vulnerability on your network is an ongoing compromise. Period. Let me repeat this - as a cyber security professional, there is no greater vulnerability to you, your career, and the success of your organization, than an ongoing compromise.
With so much at stake, why isn't looking for the guy hidden in the closet a priority for cyber security pros?
Scanning for network vulnerabilities is critical, and everybody should make sure their windows are patched up. However, while these are all important network defense strategies, what happens when someone uses a zero day? The fact is that the signs of an intrusion on a network are not always as obvious as a broken window or red flag log entry. Time and time again we see companies with budgets far greater than most, with far more experts and defensive tools, with a significant amount of time and effort put into vulnerability assessments, get breached. The bottom line is no organization is impenetrable.
No matter how many tools and eyes you have on your perimeter, no matter how strong a defense you have in place - whether it be standard AV, an EDR, or the next great (and necessary) preventative tool - if an Advanced Persistent Threat (APT) has found a way past your defenses, the intruder can find a way to evade event/behavior and signature based strategies. Once safely hidden within your network he can conduct his reconnaissance and exploitation mission unseen causing untold damage.
To really solve the problem, you need to put on your offensive hat. You must assume you have already been breached and hunt within your own network for any ongoing compromise. I'm not talking about sifting through event logs, I mean proactive threat hunting on the network and all endpoints that are exposed.
There are a variety of ways in which you can delve into threat hunting, but I know that most people I talk to tell me that it takes too much time, and finding the headcount for hunt teams is tough. The Air Force had these problems when our founders ran cybersecurity there, which is why they created the Infocyte HUNT solution to automate the hunt process so you can easily identify APTs and other compromises in the darkest corners of your closet and quickly take action.
Whether you choose to look for APTs manually or use a partner like Infocyte, at the end of the day if you aren't hunting, you aren't taking your greatest cyber security vulnerability seriously.
Download our white paper to learn how threat hunting can help you identify APTs and other vulnerabilities that may be lurking on your network.