Every industry is susceptible to data breaches and malicious cyber attacks. Large enterprises have a greater risk of costly attacks, due to their size and complexity. For example, financial institutions are trusted to be custodians of private financial information, including tax and account related details, while security teams in the healthcare industry have to secure new patient records by the minute, alongside keeping and maintaining the security of the medical devices actively servicing their patients.
Vulnerable entry points are consistently targeted from all angles, and at times, it may seem impossible for an enterprise with multiple end points to protect itself successfully. Few security teams have the staffing and resources to anticipate and pre-empt attacks on their own.
What is Threat Hunting?
In 2018, over 446 million records were exposed and over 1,200 data breaches occurred in the United States. With both these figures on an upward trend, an attack on organizations is not a matter of “if” but “when.” With an increase in annual data breaches, this requires CISOs and security operations teams to actively monitor for threats and combat them before damage occurs. The proactive investigation and search for threats in an environment based on a predetermined hypothesis is known as threat hunting.
These hypotheses are based off information specific to the business, as well as the threats the industry faces. For instance, in the healthcare industry, CISOs and security managers are aware that threats exist around confidential patient records as well as social security numbers. As such, security teams need to understand where their most vulnerable data is and where the attackers are likely to focus their cyber attacks. Now that healthcare organizations know where their sensitive data is and how hackers can attack, they can utilize threat hunting to look for signs of when those attackers are trying to get into their environment. This works across industries, where advancements in cybersecurity technology, enables security teams to assess the risk surrounding threats and determine preventative measures in an automated manner.
Types of Threat Hunting
Security teams can leverage three general threat hunting approaches in order to detect malicious attacks. They include:
Hypotheses can be built by looking at the general behavior of previous attackers within similar environments to anticipate and pre-empt future attacks in their own environments, with their own data.
Threat hunting using known intelligence focuses on how attackers have compromised specific organizations in similar verticals or organizations that use the same technologies. This includes leveraging data from past attacks on common artifacts like IP address, site domains, and hashes to predict possible data breaches within an organization.
Baselining the Environment
The final type of threat hunting uses security benchmarks in an enterprise’s own environment to understand normal and abnormal behavior. Using these baselines makes identifying abnormal behavior faster, more objective and actionable. It’s important to note that baselining an environment doesn’t mean having to do it across an entire enterprise. Organizations who focus on smaller subsets of an environment such as a specific network segment, application or user groups are more likely to be successful when conducting baselining hunts.
It is important to note that no matter how many of these approaches an organization leverages, to be truly effective they require data inputs from every available source. However, gaining visibility is a major challenge in its own right. Enterprises that have acquired an extensive portfolio of security technologies — such as SIEM, EDR, and UEBA — have many disparate data sources, without the ability to integrate and coordinate insights across them. By contrast, organizations that have outsourced part of their environment via a MSSP or MDR may be given digested data in a report, but without full visibility into the entire history of, or context for, that data.
Keys to Effective Threat Hunting
Once they’ve identified their approaches to threat hunting, enterprises must put in place a repeatable, scalable foundation for execution. Technology must be at the core of the digitalization of data considering the increase in vulnerabilities that have put effective response beyond the reach of manual intervention. The top three keys to effective threat hunting are:
Stitching Together Disparate Security Technologies
Impactful threat hunting tools must be able to synthesize data points from across enterprises’ increasingly complex cybersecurity technology stacks. This is no small feat, as many of the solutions operate in silos or provide partial visibility. At the same time, it is not feasible for security teams to pursue a “boil the ocean” strategy of building a massive (and expensive) data lake to serve as a single repository for their security data. The desired outcome is the ability to pull data from across disparate technologies, on-demand, when specific use cases demand it.
Delivering Actionable Insights
Of course, connecting technologies is of limited value without the ability to monitor and measure a security environment in a unified manner. Powerful analytics are needed that align with an enterprise’s security vital signs – including dashboards that capture the right metrics and enable drill-down capabilities to further investigate potential threats. The ability to “slice and dice” those metrics ensures that different team members and different levels of the enterprise are able to gain the insights they need.
These vital signs will depend on the organization and industry, but often include things at both a macro and micro level to ensure that those trends at both levels can be easily identified and prioritized. The macro level includes metrics and insights such as overall visibility level across the enterprise, technology effectiveness and team performance. While the micro level includes much more specific detail including insights such as the internal or external IP related with the most alerts, top IDS signatures fired for different network zones and other specifics related to potential threats affecting an environment.
Automated Response for Greater Speed and Effectiveness
Threat hunting tools with automation employ machine learning and other capabilities to tee up real-time responses to potential security threats. This library of interventions should be based on industry best practice as well as intelligence specific to an enterprise’s environment. As a result, security teams can identify and contain threats as they are occurring, reducing the costs and severity of cyber attacks.
Automated Threat Hunting With ReliaQuest’s GreyMatter Solution
ReliaQuest offers the capability of automated threat hunting as part of its platform for proactive security model management, GreyMatter.
Acting as a force multiplier to an organization’s existing cybersecurity investments, GreyMatter integrates disparate technologies to provide a unified and actionable view that fills the gaps in enterprise security programs. GreyMatter uses a combination of machine learning and human analysis to advance strategic initiatives and address daily threats. With GreyMatter implemented into the security model, security operations teams can focus on increasing the speed and effectiveness of their threat detection and response.
It takes a comprehensive approach to threat detection by organizing, integrating, and applying threat intelligence from multiple sources directly into the environment, to focus on baselining environments on a regular basis. This technology can empower security teams to tailor threat intelligence feeds to address a specific threat landscape, industry, and environment.
The result is faster, more precise threat detection and remediation as well as improved efficiency and reliability across security programs. GreyMatter improves threat detection capabilities by 400% in the first 90 days of on-boarding. This allows security operations teams to focus on strategic initiatives rather than containing or mitigating daily threats.
Contact ReliaQuest to see how automated threat hunting can grant your company the visibility it needs to comprehensively defend against cyber security threats before they can inflict damage on your operations.