Sunday, September 4, 2022

The 3 Golden Keys To A Successful Threat Hunt

 


Back in the days of the Cold War, and I believe that it is the case now, the military doctrine of the United States has always been to take a defensive role.  Meaning, it will never invade another country unless US interests are at stake, or American lives are in danger. 

This is the same with the nuclear weapons. Back then, we would not have fired off a volley of Minuteman and Trident missiles unless the Russians have launched first.  This same line of thinking has also taken fruition in the world of Cybersecurity. 

Many companies are taking a defensive posture, which is a good thing.  This simply means that they have a line of defense that is circling their business, and if they are hit by a Cyberattacker, well there is some defense that will last for a little while.  In fact, this line of posturing has probably led to Corporate America into its current way of thinking: “Well, if I have never been hit before, I probably will never be”.

Unfortunately, this is far from the truth.  Those companies that say very same thing are the ones that are going to be hit next.  They are simply admitting that they have just the bare minimal up to protect themselves, and letting the Cyberattacker aware of that. 

As I have written about many times before, we have to take a proactive Cyber stance, especially with the dynamics that we are dealing with in the world today.

Taking a proactive stance does not mean you have to invest in every bit of the latest security technology that is out there, but that you simply take much more of the common sense steps to maintain a good level of Cyber Hygiene at the place of your business. 

Taking this kind of mindset does not happen over time, it can take a very long time and is often led from the top down to the very bottom.  In the end, it takes both the human and technological factors to make this into a reality.

So speaking of which, the human factor . . . this is the Threat Hunter.  Essentially, these are the groups of individuals that take all of the intel and information and data that they can get their hands on, and from there, formulate predictions as to what the future threat landscape could potentially look like.  More specifically, they have three tasks in mind that they have to accomplish:

*Identifying the various patterns of unusual behavior;

*Hunt down any threat variants that matches the criteria for the above;

*Help the IT Security team build up the arsenal to fend those threats off. 

It is important to note that with the last bullet, once again, I does not  that the vCISO or CISO has open budget and can but will nilly.  Rather, the existing security tools that are in place can be used even further, assuming that they are placed strategically.

So, this is where having a great Threat Hunter comes into play.  It takes a person with a combination of the following skills:

*Great analytical mind;

*The ability to communicate effectively.

To be honest, the first characteristic is more of a subjective one.   You do not have to hire a PhD rocket scientist, but you do need to find somebody that is very keen of the environment around them, is very observant, and take a macro view of the world and break down into its individual components.  And perhaps even more so that the first trait, you want somebody who is not afraid to communicate with the others in the IT Security team to let their insights be known. 

But most importantly, the vCISO or the CISO also needs to take the time to listen to their Threat Hunting team.  In short, it is not easy to find this kind of person, and it can take quite a bit of recruiting . . . after all, you want somebody that you can trust as well.  In some ways, it is even more complex than becoming a forensics investigator. 

Now since these are highly valued individuals to have on your team, unfortunately, Corporate America has been very slow in welcoming them on board.   Probably the reason for this is that Threat Hunters are often viewed as living in their own worlds, working in a dark room and wearing that infamous hoodie. 

While they may be introverts by nature, there is nothing wrong with that.  You don’t have to go out with them every night and go drinking, but the IT Security team must embrace them enough so that they feel part of the team.

Also, the notion of Threat Hunters and Threat Hunting is still new to many companies.  The world of Cybersecurity is still filled with images of Pen Testers, people sitting in large SOCs with 12 computer screens in front of them, and global espionage. 

Well, it is now time to get rid of those thoughts and fill them with how great you make your IT Security team, by adding in a few Threat Hunters as well.  To eb brutally honest, one of my clients does have a SOC.  But they only have three people on the team, located in a shared office space.

Also, there is this myth now that with the emergence fo AI and ML, that can take over the role of Threat Hunting.  While it is true that they can make great assets when it comes to automation, you still need the human touch in order to draw the final conclusions. Also keep in mind with these tools, it is merely “garbage in and garbage out”. 

What you get out is only as good as what you put into the system.  This is where data optimization comes into play, and this is where the human factor comes into play.

My Thoughts On This:

Remember that in the end, successful Threat Hunting must have an objective, and an end goal.  You simply cannot tell your Threat Hunters to just go at it.  If you are just starting out with a new team of Threat Hunters, try this simple model first:

*Crete a hypothesis as to how a Cyberattacker can break into your lines of defense, based on what has happened in the past;

*Establish the goal the goal to be accomplished (such as how to remediate the first step);

*Run any new intel/information/data through your automated tools to see if both the objectives and the end goals of have been met.

There will be times where these two do not mesh, and there will also be times where your expectations have been far surpassed.  But to the Threat Hunter, always be open and honest to the IT Security team as to what is working and what is not.  As much as you want to be a part of their word, they need to be a part of yours as well.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...