Cyberattacks are more sophisticated than ever, with hackers and other cybercriminals able to find and exploit the smallest vulnerabilities to enter corporate environments.
They’re learning new ways to enter corporate networks and systems without security teams even being aware of their existence, so they can inflict damage or steal data for profit.
Meanwhile, security leaders and teams are responsible for protecting increasingly complex IT environments that often include multiple cloud services, a growing number of mobile devices and apps, an expanding ecosystem of connected objects, and a mix of remote and hybrid workers.
As if all of that were not enough, there has been an increase in cyber-based supply chain attacks, which can have a multitude of effects on the business.
If an enterprise suffers a data breach, ransomware attack, or other security incident, the damage can be significant. It can include not just the immediate financial impact from the loss or theft of data and business downtime, but also harm to a company’s reputation, brand and competitive position.
For companies in industries such as software development, pharmaceuticals, aerospace, auto manufacturing, entertainment, and others, attacks can result in the theft of intellectual or creative property. This can also have a serious impact on revenue.
With today’s cybersecurity reality, threat hunting is no longer a nice-to-have option, but a must-have for the modern security program.
Basics of an effective threat-hunting program
Data and system backups alone are not sufficient when cyber threats include extortion, brand damage, and financial, legal, and other repercussions. Similarly, a cybersecurity program must also consider threats coming from the supply chain.
Many organizations don’t always have the best visibility into how many third-party vendors they are using at a given time, or the types of assets that enter their environment because of third-party vendors. In addition, they are at the mercy of the providers’ security as well as their own.
To address these evolving challenges, organizations need to build the foundation for a mature threat-hunting program, which should include several key components.
One consideration is to maintain a complete, real-time picture of the enterprise environment so threats have nowhere to hide. This is not easy to achieve. The diverse, dynamic, and distributed endpoints that are in use today create a complex IT environment where threats can easily hide for days, weeks, or even months. Organizations should seek to deploy a solution that enables them to:
- Find every endpoint in the environment and recognize whether it is local, remote, on premises or in the cloud.
- Identify active users, network connections, and other data for each of the endpoints.
- Visualize lateral movement paths that attackers can follow to access valuable targets such as Active Directory.
- Verify if policies are set on each endpoint and identify gaps in key controls.
Another component of threat hunting is having the ability to proactively — within seconds —hunt for known or unknown threats across the environment. Once a security team has this visibiliity, they need to be able to differentiate between normal and abnormal behavior to identify active threats.
With the right threat hunting platform, teams can:
- Search for and discover new, unknown threats that signature-based endpoint tools miss.
- Hunt for threats directly on the endpoint, instead of through incomplete logs streamed to the cloud.
- Investigate either individual endpoints or the entire environment in minutes without creating significant network strain.
- Determine the exact root cause of any incident experienced on any endpoint device.
A third component is being able to use one platform to respond to and eliminate any threats that the team finds. Unfortunately, most endpoint tools separate threat hunting from remediation, which can create friction between teams, delay the response, and leave threats active.
With the right solution, security teams can:
- Seamlessly pivot between threat hunting and response by leveraging a single dataset and platform.
- Rapidly apply defensive controls to any number of endpoints during an incident.
- Completely cut off communications and remove an attacker from the IT environment.
- Learn from incidents and harden the environment to prevent similar attacks.
- Simplify and streamline policy management to keep endpoints in a “known good” state at all times.
Getting smarter about security
One of the most important factors to look for in a threat hunting solution is the ability to use correlation and statistical analysis to better understand whether a particular event is notable and interesting versus “just another alert.” That’s possible only when a system can enrich data telemetry in real time, at scale and in a constantly changing situation.
Every log source, every piece of telemetry, every bit of endpoint metadata and traffic flow that can be aggregated tells a different piece of the story. No threat actor can get into an organization’s environment and be completely invisible. It’s just a matter of whether the threat hunters are leveraging the right data.
Historically, security monitoring and threat hunting can be hindered by lots of noise if security systems are not tuned or not looking for the appropriate baseline. How can hunters know if something is out of place if they don’t understand what it should look like?
This illustrates the importance of having relevant, high-confidence, threat intelligence and the need to follow the right feeds. The keys factors are to have trusted, dynamic sources of data and the ability to tune and filter the data to lessen not only the false positives but also the false negatives.
Once an organization has complete visibility in real time, it can start building an effective threat hunting strategy.
Because attackers are smart, especially the sophisticated ones who can change their behavior on the fly, hunters must be even smarter. That means using a combination of experience, knowledge and technology tools that give hunters the ultimate edge.
Ready to close gaps and shut down cyberattacks? Learn more about Tanium’s approach to threat hunting.