By Staff Writer at LMG Security   /   Apr 27th, 2021

Late to Proactive Threat Hunting? It's Time to Get Started.

Threat huntingProactive threat hunting is still an underutilized cybersecurity technique. A 2020 SANS report found that while 65% of companies now have threat hunting programs, the majority of these programs are immature.

In 2020, there were over 3,900 data breaches, and hackers averaged 56 days of dwell time in a network before being detected. While dwell time is down 28% from the previous year, imagine the information a hacker can gather from your network in 56 days. Proactive threat hunting can help you nip attacks in the bud. Read on to find out how you can strengthen or jump start your organization’s proactive threat hunting program.

Proactively Protecting Your Technology Environment

When you stop to think about the major breaches that have commanded the spotlight in 2021, such as SolarWinds and Accellion, hackers used these data breaches to expand their attacks through the supply chain. They used their access to key suppliers to expand attacks to connected vendor and customer companies. (For tips on preventing these attacks read our supply chain security blog.)

Today, an effective cybersecurity program is about more than protecting your network perimeter. You are also protecting your environment from fileless attacks and attacks that originate from behind your firewall. Hackers are looking to compromise credentials and breach your systems through remote work access, phishing/vishing attacks, social engineering attacks, supply chain attacks and more.

Sophisticated attackers can often bypass edge-only controls, such as API gateways and web application firewalls.  Proactive threat hunting is a great way to protect the bulk of your (largely unprotected) backend network traffic that malware uses for lateral spread.

Threat Hunting Joins NIST Special Publication 800-53

Good news – dwell time has dropped from the lofty heights of almost 200 days only a few short years ago, partially due to proactive cybersecurity strategies that include threat hunting, among other techniques. However, almost a third of companies still do not have a proactive threat hunting program in place.

In September of 2020, the National Institute of Standards and Technology (NIST) released an updated version of NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations. This is the first-time proactive threat hunting was added to the list of suggested security controls to regularly search for indicators of compromise and threats that have evaded existing controls, stating:

“Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems… The objective [of threat hunting] is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses.” – NIST Special Publication 800-53

Proactive threat hunting is an important tool your organizations should be using to quickly find indicators of compromise and minimize losses.

3 Strategic Questions You Need to Consider Before Adding Threat Hunting to Your Cybersecurity Plan

If you’re new to threat hunting or looking to increase the maturity of your current program, here are the strategic questions you need to answer to put a plan in place:

  • Do you have the skilled staff to undertake threat hunting in-house? According to a recent survey, 77% of organizations cited skilled staff as the biggest barrier to implementation. Experienced threat hunters are in short supply, and this makes hiring difficult and expensive. In addition, threat hunters must keep up with the news and latest Indicators of Compromise (IOCs) to really add value – it’s not a task you can assign to just any IT team member. What are the solutions to this challenge? Consider training one of your internal team members; you can get the skills you need in a relatively cost-effective manner. The second option is to outsource threat hunting. Managed threat hunting services have highly skilled and experienced teams that can be more cost-effective than in-house programs since multiple clients only pay for fractional time, rather than the costs of a full-time employee.
  • Do you have the necessary tools? Consider what threat hunting technology your team will use. There are myriad options. With AI-based behavior change identification tools, DNS and phishing domain catchers, two- and three-dimensional data plotting tools, classification tools and many more, you need to select the right array of tools. At a minimum, you need enriched endpoint detection and response data. You need a system to collect, store and search the data to begin a basic threat hunting program, but automated and AI-based tools that reduce the amount of time you spend jumping around to different tools will help increase the efficiency of your program.
  • What’s your strategic plan? The best threat hunting programs rely on multiple tactics. Technology that matches your rule- and signature-based detection tools with your logs are not enough – not even from your SIEM. The point is to go beyond triaging automated alerts to finding the anomalous behavior that evades traditional tools. You can then use both open source and paid threat intelligence services that provide lists of known indicators of compromise to assist with threat hunting. At the same time, consider your sources of intelligence. Every technology environment has the potential to produce a tremendous amount of data. You can’t tackle everything at once, and storage space can get expensive. Which data sources will you prioritize? Will you start with firewall denied traffic? Network traffic metadata? DNS, server or web and email traffic?  Also, consider your data retention policy and ensure it is aligned with your threat hunting strategy, so the information you want is there when you need it. Above all, you need a plan of attack that can continue to grow and evolve with your organization.

While there are many aspects of adding proactive threat hunting to your cybersecurity program, these strategic decisions will help guide how you implement your program. If you plan on outsourcing threat hunting or want experienced help setting up your program check out our managed threat hunting service or contact us about having one of our consultants help you develop a strong internal threat hunting program.

About the Author

LMG Security