Deploying threat hunting teams, what does it take and does it matter?
Increasingly, organisations (approximately 10%) are deploying threat hunting functions as people or teams; what’s driving this rise, what is threat hunting and what data do they need access to?
The defender’s evolving view
The NIST cyber security framework, which effectively converted security into plain English, provided a new way of looking at security — it lead to a shift in investment and focus.
In 2008, the focus shifted from protection to detection, because organisations realised that protection efforts could be bypassed. In 2016 another shift in focus occurred, from detection to threat hunting, for the same reason — organisations adopted this framework because they realised their organisation would be breached at some point.
“This framework led to a macro shift in customer spending; moving from strictly protection to the security operations centre. The detection and response security budget moved from 10% to 40%,” explained Brian Dye, chief product officer at Corelight.
“Programmatic detection is not perfect, which is what led to this threat hunting wave; being proactive, looking for the things that detection technology has missed,” he continued.
Threat hunting is becoming necessary because while organisations can throw money at incident response and protection tools, they can’t throw money at the consequences of a breach. Indeed, CISOs are kept up at night by what they don’t know (what I have to investigate).
The cyber threat hunting game has changed
Inverting defender’s dilemma
Threat hunting takes advantage of the dynamic of how an attacker works — they “invert the defender’s dilemma,” said Dye.
He explained: “Once attackers penetrate the network, they’re researching it to find the payload, then they want to establish contact and try to get it out. In this scenario, there are many chances to find the attacker once they’re in the network. But, there’s only once chance to defend the network perimeter; it’s a singular access point.”
Outside the network, the hacker only has to get it right once, but within the network, threat hunters only have to get it right once to identify the intruder and shut the whole attack down.
Instead of starting with alerts, threat hunting requires exploitation
Threat hunting workflow
Threat hunting starts with visibility. The teams have to understand the network environment and what’s normal.
“Hackers, often, know the network better than the defenders and this what threat hunting is balancing out,” continued Dye.
Threat hunting teams have to follow the unusual; IPs/domains, certificates, tools and activity.
They then have to confirm their thesis; understand the threat and document, contain, remediate it.
“This is the most important stage,” explained Dye. “The threat hunting process ties into the incident response process and they have to encode knowledge so that the rest of the security team can do what they did; SIEM queries, algorithms, coverage and training.” Threat hunters need to automate the results.
But, all of the above is redundant if the defenders/hunters don’t have the right data.
What data do threat hunters need access to?
There is a growing trend that organisations are moving away from data puddles and into data lakes; they want their data in one place.
Network data, for breadth, endpoint data, for depth and threat analysis are the most important datasets that allow threat hunters to do their job.
“60/70% of data scientists time is spent normalising and fixing data, but if you can fix at source the world gets way better” — Dye
Specifically looking at gaining visibility into an organisation’s network, Corelight’s bread and butter*, there are three areas that must be addressed.
1. It must be adaptive — data can’t be static, it must be improved and extended.
2. Community defence — no one has all the IP into the world of security. It’s important to work with the community of sophisticated threat hunters and security professionals and not behind one vendor.
3. Irreplaceable insight — there’s a lot of insight organisations can get from the network layer. “But, if you don’t find it when you have full visibility of the network then you won’t find it again,” said Dye.
Attributes of the right data is needed to fuel threat hunting
Threat hunting potential
Highlighting a real-world investigation, Dye referred to a large organisation that was notified by VISA that fraud was happening at a number of its franchises — they have over 10,000 franchises, but only 200/300 were compromised. How could they identify which ones?
The organisation used network visibility to figure out which point-of-sale endpoints were vulnerable (not enough resource to look at all simultaneously) and it found out how they were breached (the attack sequence). Once found, it used the network data to verify that the fix was complete and, at the same time, identify the extent of the breach that it had to disclose for compliance reasons.
“Without this network visibility, the organisation would have had to disclose 4x more than it did. It allowed it to prove what happened,” said Dye.
Cyber threat hunting: combatting the new face of espionage
Why your organisation should deploy threat hunting teams
Threat hunting is a new trend on the rise. It is driven by the recognition that protection and detection efforts can and will be bypassed.
Threat hunting can solve this problem by focusing on unusual activity hidden within normal traffic, and leads to improved incident response through automation and a better understanding of the network.
The right data for hunting must be adaptive, community-driven and extended insight.
*Corelight uses Zeek — an open source tool developed in 1995 — to help organisations gain visibility over their networks