Hackers are getting more elusive. Your company creates and implements a comprehensive cybersecurity plan using a multilayered approach.  You have the latest firewall that is right fitted for your enterprise.  You are using the latest email and internet filtering technologies and all of your machines are protected by a well-respected endpoint security application. 

And yet, your organization falls victim to another attack.  The old adage that, “The best defense is a good offense,” has been in practice within military operations for centuries and was adapted into sports strategies such as boxing in the 20th century.  In martial arts they use the phrase, “The hand which strikes also blocks” that goes along with the same line of thinking.  However you phrase it, it is apparent that cybersecurity strategies need to begin incorporating a more offensive mindset as well.

threat hunting

Cybersecurity’s Traditional Passive Reliance on Alerts

Too often, organizations depend on cybersecurity alerts in order to detect attacks.  However, awaiting an alert to act upon will always have the team in a reactive mode, which can significantly burden your resources.  According to the 2020 Mandiant Security Effectiveness Report, the perception that implemented security controls are continually alerting, preventing and blocking attacks is a fallacy.    The report indicates:

  • Alerts are only generated for 9% of attacks
  • Only 26% of attacks are detected
  • Only 33% of attacks are prevented
  • Roughly 53% of attacks are missed

The fact that alerts are not doing a suitable job of attack notification isn’t due to a lack of alerts.  In fact, to the contrary, IT and security personnel are inundated with cybersecurity event alerts.  According to Cisco’s 2020 CISO Benchmark Report, 41 percent of organizations get more than 10,000 alerts a day.  This leads to alert fatigue as there simply isn’t enough time to pursue all of them down the rabbit trail. 

The Issue of Dwell Time

So how long do attackers reside within a network once they breach the perimeter.  That time duration is referred to as dwell time.  It is the length of time in which an attacker can roam freely within a compromised network before being eradicated.  In a survey conducted last year, 64% of respondents indicated that 100 days of dwell time seemed accurate or was too low.  According to Microsoft, an attacker resides within a compromised network a median of 146 days before being discovered.  That is ample enough time to perform asset reconnaissance and successfully exfiltrate proprietary and sensitive data.  In the case of an actual data breach, the mean-time-to-detect alone averages 207 days.  A recent example of this is the infamous breach of the U.S. Treasury and Commerce departments late last year.  In this case, the Russian backed hackers quietly worked undetected for over seven months before finally being noticed.  Cybersecurity experts have yet to determine the extent of the damage inflicted during that time.

Dwell times are increasing because attackers have become more patient.  In the case of highly organized hacking groups, their malicious efforts are often objective driven rather than opportunistic.  Rather than perform a series of assaults in quick succession, hackers are turning to a low-and-slow approach, carefully studying their prey in a manner that doesn’t announce their presence. 

 

cyber hunt server

 

So what is Threat Hunting?

Cyber threat hunting is a proactive approach that searches out the presence and activity of attackers who have managed to evade existing security solutions.  Quite simply, threat hunting is about finding the unknown.  The highly skilled professionals that perform these tasks are known as threat hunters.  Threat hunting involves a game in which the hunter becomes the hunted.  The objectives of these hunts includes searching and removing malware, detecting unknown vulnerabilities and risks as well as uncovering existing threats in order to eradicate them  before an actual attack can occur.  Threat hunting solely focuses on Advanced Persistent Threats (APT) rather than known or generic threats. 

Threat hunters utilize advanced toolsets, threat intelligence and analytics to aid them in the discovery process.  They look for “indicators of compromise” (IoCs) residing within the network or machine devices.  These forensic artifacts can be traffic abnormalities or changes within file or registry systems.  Threat hunters carefully monitor attempted logins of privileged accounts and critical servers.  

Threat hunting is by no means an ad-hoc methodology.  It uses a highly structured approach similar to the scientific method in which the hunters start out with the formation of a hypothesis concerning a suspected threat or attack technique.  They then perform data gathering and analysis in order to substantiate the hypothesis and define a strategy to begin the hunt.  Discovered anomalies are pursued and investigated.  At some point, the hypothesis is either dismissed or confirmed, at which point the team will follow the guidelines set out by the company’s incident response plan (IRP)

threat hunting

Hunting Season is Year Round

Unlike traditional outdoor hunting, cyber threat hunting is a year-round activity.  Hunting down active threats and attackers is always in season. 

HALOCK can engage you with a team of highly trained professionals and help design a strategy to supplement your current cybersecurity efforts.  Let us help you ensure that the only ones being hunted within your enterprise, are the possible would be attackers themselves. Minimize risk with active threat management.

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.

Contact Us