Why Cyber Threat Hunting is Your Best Bet to Counter Rampant Zero-Day Exploits

According to MIT, zero-day mass vulnerability exploits reached record highs in 2021. We predict this trend will continue into 2022. If you are not cyber threat hunting already, you should be. For hackers, undetected vulnerabilities are juicy targets with big payouts. For businesses, these exploits can lead to massive amounts of damage.

The 2021 IBM Cost of a Data Breach report revealed it took an average of 287 days to identify and contain a data breach. This means a breach occurring on January 1st may not be contained until mid-October. Nobody wants an uninvited visitor snooping around their network — not even for a minute.

The IBM report also tells us that the global average overall cost of a breach is $4.24 million. These numbers are enough to make any executive shudder. So how can you combat this problem? Cyber threat hunting is one of the best ways to identify criminals lurking undetected in your environment. In fact, cyber threat hunting is frequently one of the top recommendations from CISA when it publishes alerts about new mass exploits, and CISA considers threat hunting to be a top priority for proactive security.

Why is cyber threat hunting so important, and is your team ready to start an in-house program? We’ll answer these questions and share what you need to consider to get your program started.

Zero-Day Mass Vulnerability Exploits

Zero-day exploits launch cyberattacks through a previously unknown mass vulnerability. How dangerous are these hacks? These zero-day vulnerabilities frequently bypass authentication protocols, security controls, and your antivirus. Criminals will use these zero-day exploits and mass vulnerabilities to infiltrate your environment, install malware, execute commands, steal data and credentials, and move laterally into the crown jewels of your network. The longer hackers lurk undetected, the more time they have to expand and solidify their foothold, locating and exfiltrating high value data. Threat actors also use this access to install remote access trojans, web shells, and other backdoors that can maintain malicious access or be sold off to another criminal group for a quick profit. If you consider that criminals will pay over $1 million for some exploits, you begin to grasp the magnitude of the threat and why is it one of the top cybersecurity threats of 2022.

One of the greatest dangers of zero-day exploits is they take advantage of vulnerabilities in software installed on your networks, often with privileged access. For example, recently exploited software programs include Microsoft Exchange, Atlassian Confluence, Windows 10, and myriad products and services that incorporated the vulnerable Log4j code. Once these vulnerabilities were discovered, any environment running unpatched programs was wide open for attacks such as malware or data theft.

What is Cyber Threat Hunting?

Almost everyone realizes that a strong perimeter defense is not enough. It’s not news that threats can bypass edge-only controls. Proactive cyber threat hunting is the best way to sniff out threats and protect exposed backend network traffic from malware.

The CISA Alert (AA21-243A) for Ransomware Awareness says:

“The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system.”

Cyber Threat Hunting Best Practices & Indicators

How do you implement threat hunting? The CISA alert outlined various approaches to which we add our insight as well. The best threat hunting methods include:

• Monitor & manage IT activity and architecture from a baseline. With behavior-based analytics, you can establish baseline user, endpoint, and network activity patterns. Adaptive access leverages machine learning and AI to analyze every user, device, activity, and behavior for context-based decision making. This enables you to monitor access trends and detect aberrant behavior.
• Review data logs. CISA encourages you to understand what standard performance looks like compared to suspicious or anomalous activity. Numerous failed file modifications, increased CPU activity, inability to access files, and unusual network communications can alert you to potential danger. More advanced platforms automate these checks and balances.
• Intrusion prevention and automated security alerts. This can include security information event management (SIEM) software, intrusion detection, and endpoint detection and response.
• Honeytokens. These are fake data or records used to lure hackers into stealing them. Administrators can then track and identify the user who accessed the network.

CISA also outlines indicators of suspicious activity that may indicate zero-day exploits of mass vulnerabilities, such as:

• Unexpected increase in inbound / outbound network traffic.
• Compromised administrator privileges.
• Unrecognized escalation of (or request for) permissions on an account.
• Credentials theft.
• Substantial increase in database read volume.
• Irregular geographical access, log in patterns, and access times since hackers often operate from distant locations.
• Attempts to access folders on a server that are not linked to the HTML within the pages of the web server.
• Baseline deviations in the type of outbound encrypted traffic (threat actors may encrypt exfiltration).

Are You Ready to Conduct Cyber Threat Hunting In-house?

While cyber threat hunting may be essential for many organizations, some may not have the bandwidth, software, or experience to implement an in-house program. You should consider the following factors before implementing threat hunting:

• In-house expertise. Experienced threat hunters understand the importance of keeping up with the latest information about emerging threats. Plus, they know which alerts should be acted upon. Does your team have this expertise?
• IT team bandwidth. While your team might be capable, do they have the time for meaningful threat hunting activity? Will you need to hire or contract additional help? Remember, one of the biggest threat hunter tasks is staying up to date on the latest indicators of compromise (IOCs) and emerging threats.
• The right tools. At a minimum, threat hunting requires enriched endpoint detection and response data with a system to collect, store, and search the data. You can boost efficiency with automated, AI-based tools that reduce the amount of time you spend analyzing data and toggling between different tools.
• Threat intelligence. Both open source and paid threat intelligence services keep you up to data about IOCs which are forensic breadcrumbs left behind by intrusive activity. You can source IOCs from threat intelligence feeds.
• Risk prioritization. Will you prioritize firewall denied traffic or network traffic metadata? Or DNS, server or web and email traffic? If you scanned all your systems, you might find thousands or even tens of thousands of vulnerabilities. Prioritize your efforts to ensure you mitigate the largest risks first.

Let the Cyber Threat Hunt Begin!

Whether you decide to implement in-house proactive cyber threat hunting or use a managed threat hunting service, threat hunting is critical to secure your organization’s, customers’, and partners’ digital assets.