The cyber threat hunting game has changed

As the world of computing has extended its reach over the last decade, high demand has risen for more sophisticated information systems, big data analytics tools, cloud computing, and mobile applications.

The past decade has seen drastic growth in new security vulnerabilities and malware alone has evolved, becoming more sophisticated, unexpected, diverse, and powerful than ever before.

The early forms of malware sought to generate high-profile nuisance attacks but years after its aims are increasingly pernicious, focusing on ransom, theft and other malicious and hostile activities. Thus malware has become much more of a concern for organisations.

>See also: Using AI intelligently in cyber security

During the last decade most CISO’s managed to change their tactics and moved from alert chasing to threat hunting. The SOC activities started to gain momentum and most security activities defined their goals as such: detection, analysis, and response. The SOC managed to detect known threats but this is simply not sufficient.

The SOC analyst’s role was converted from a chaser to hunter and now they must take a proactive approach to protect their company assets by looking for active threats, vulnerabilities, breached systems, and leaked data.

Threat hunting focuses on proactively finding threats. Threat hunting requires deep inspection of potentially breached systems and looking across wide ranges of historical data to find malicious activity not identified by traditional alerting mechanisms.

Security solutions shift

In the past decade there were many changes in the evolution of the security solutions. These changes evolved around the attacks prominent at a particular time. One of the first solutions in the market concentrated on the widespread DDOS attacks, which spurred the development in protection of third layer interaction that innovated the Firewall. In the later years as cyber crimes became more sophisticated, the security response had to step up.

>See also: Cyber security employee shortage ‘barrier to effective threat detection’

Hackers started to penetrate networks as the world’s storage evolved into digital storage and these databases became their prey. In order to penetrate the networks, hackers had to overlap the Firewall and approach the network in a legitimate way. This created the IDS solution which was able to detect unusual traffic against signatures or rules, and later the IPS which was able to block it.

As cyber crimes have become more sophisticated, the new generation of cyber defence is creating a more advanced analysis which can detect information in the application layer and discover impersonation which today is one of the main threats in cybercrime.

In addition, the need for a solution which can accumulate and relate all the security components into one database and analyse their logs to create a bigger picture was also on the table and in time became the SIEM systems.

Emergence of nation-state/hacking group coercion

As with every powerful weapon, nation states have recognised the potential danger in cyber attacks and their strong impact in geopolitical conflicts and warfare.

In security, nation-state attackers are dubbed APT (Advanced Persistent Threat) groups. The persistence part is especially important regarding nation state groups. Hacking groups have limited capabilities and budget, and when focused on cyber crime they need to be cost effective when allocating their resources.

APT’s meanwhile enjoy extremely wide capabilities and labour potential, with very clear and carefully chosen targets – resulting in persistent and accurate hacking attempts on these targets. Thus, it is possible to postulate that cyber crime hacking groups chose targets based on cost effectiveness and availability, whereas with nation-state groups chose targets based on importance.

However, recently the border between the two seriously shattered, as governments started actively recruiting hacking groups and individual threat actors to their services in order to promote their geopolitical interests.

>See also: Cyber espionage represents the most serious threat to global business

These phenomena are especially salient in China (Like Stone Panda [APT 10]) and the Russian Federation (all the groups from the Grizzly Steppe list: including Fancy Bear [APT 28] and the Dukes [APT 29]).

It is also possible that strong hacking groups working in collaboration with governments are state supported from the beginning. Governments may avoid being directly identified with these groups to prevent accusations and judgment and not admit accountability or expose capabilities. However, they are also not openly denying the collaboration in order to foster deterrence and gain from the created vagueness.

The threat hunting game is certainly not the same, with the ever changing threat landscape, but there are many talented cyber security professionals entering into the industry to fight back again these very issues.


Sourced by Itay Kozuch, director of research, Intsights and Orin Mor, threat researcher, Intsights

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...