Back in the days of the Cold War, and I believe that it is the
case now, the military doctrine of the United States has always been to take a
defensive role. Meaning, it will never
invade another country unless US interests are at stake, or American lives are
in danger.
This is the same with the nuclear weapons. Back then, we
would not have fired off a volley of Minuteman and Trident missiles unless the Russians
have launched first. This same line of
thinking has also taken fruition in the world of Cybersecurity.
Many companies are taking a defensive posture, which is a
good thing. This simply means that they
have a line of defense that is circling their business, and if they are hit by
a Cyberattacker, well there is some defense that will last for a little while. In fact, this line of posturing has probably
led to Corporate America into its current way of thinking: “Well, if I have
never been hit before, I probably will never be”.
Unfortunately, this is far from the truth. Those companies that say very same thing are
the ones that are going to be hit next.
They are simply admitting that they have just the bare minimal up to
protect themselves, and letting the Cyberattacker aware of that.
As I have written about many times before, we have to take a
proactive Cyber stance, especially with the dynamics that we are dealing with
in the world today.
Taking a proactive stance does not mean you have to invest
in every bit of the latest security technology that is out there, but that you
simply take much more of the common sense steps to maintain a good level of
Cyber Hygiene at the place of your business.
Taking this kind of mindset does not happen over time, it
can take a very long time and is often led from the top down to the very
bottom. In the end, it takes both the human
and technological factors to make this into a reality.
So speaking of which, the human factor . . . this is the Threat
Hunter. Essentially, these are the groups
of individuals that take all of the intel and information and data that they
can get their hands on, and from there, formulate predictions as to what the future
threat landscape could potentially look like.
More specifically, they have three tasks in mind that they have to accomplish:
*Identifying the various patterns of unusual behavior;
*Hunt down any threat variants that matches the criteria for
the above;
*Help the IT Security team build up the arsenal to fend those
threats off.
It is important to note that with the last bullet, once
again, I does not that the vCISO or CISO
has open budget and can but will nilly.
Rather, the existing security tools that are in place can be used even
further, assuming that they are placed strategically.
So, this is where having a great Threat Hunter comes into
play. It takes a person with a combination
of the following skills:
*Great analytical mind;
*The ability to communicate effectively.
To be honest, the first characteristic is more of a subjective
one. You do not have to hire a PhD rocket
scientist, but you do need to find somebody that is very keen of the
environment around them, is very observant, and take a macro view of the world
and break down into its individual components.
And perhaps even more so that the first trait, you want somebody who is
not afraid to communicate with the others in the IT Security team to let their
insights be known.
But most importantly, the vCISO or the CISO also needs to
take the time to listen to their Threat Hunting team. In short, it is not easy to find this kind of
person, and it can take quite a bit of recruiting . . . after all, you want
somebody that you can trust as well. In
some ways, it is even more complex than becoming a forensics investigator.
Now since these are highly valued individuals to have on
your team, unfortunately, Corporate America has been very slow in welcoming
them on board. Probably the reason for
this is that Threat Hunters are often viewed as living in their own worlds,
working in a dark room and wearing that infamous hoodie.
While they may be introverts by nature, there is nothing wrong
with that. You don’t have to go out with
them every night and go drinking, but the IT Security team must embrace them
enough so that they feel part of the team.
Also, the notion of Threat Hunters and Threat Hunting is
still new to many companies. The world
of Cybersecurity is still filled with images of Pen Testers, people sitting in
large SOCs with 12 computer screens in front of them, and global espionage.
Well, it is now time to get rid of those thoughts and fill
them with how great you make your IT Security team, by adding in a few Threat
Hunters as well. To eb brutally honest,
one of my clients does have a SOC. But
they only have three people on the team, located in a shared office space.
Also, there is this myth now that with the emergence fo AI
and ML, that can take over the role of Threat Hunting. While it is true that they can make great
assets when it comes to automation, you still need the human touch in order to
draw the final conclusions. Also keep in mind with these tools, it is merely “garbage
in and garbage out”.
What you get out is only as good as what you put into the system. This is where data optimization comes into play,
and this is where the human factor comes into play.
My Thoughts On This:
Remember that in the end, successful Threat Hunting must
have an objective, and an end goal. You simply
cannot tell your Threat Hunters to just go at it. If you are just starting out with a new team
of Threat Hunters, try this simple model first:
*Crete a hypothesis as to how a Cyberattacker can break into
your lines of defense, based on what has happened in the past;
*Establish the goal the goal to be accomplished (such as how
to remediate the first step);
*Run any new intel/information/data through your automated
tools to see if both the objectives and the end goals of have been met.
There will be times where these two do not mesh, and there
will also be times where your expectations have been far surpassed. But to the Threat Hunter, always be open and
honest to the IT Security team as to what is working and what is not. As much as you want to be a part of their
word, they need to be a part of yours as well.
No comments:
Post a Comment