Both government and commercial organizations have traditionally taken a reactive approach to cybersecurity through continuous monitoring of intrusion detection and prevention systems and monitoring of cyber alert systems such as Security Information and Event Management (SIEM) systems. Although powerful, these tools can leave cyber professionals and the organizations they are defending with a false sense of security and, consequently, they can also potentially leave their networks in a vulnerable state.
Cyber adversaries are relentless, and they’re continually evolving to overcome the latest in defensive tools and tactics. To maintain the balance in this non-kinetic arms race and maintain a positive and proactive security program, those targeted by these adversaries must also be agile and learn to evolve.
So, what’s the next step that shouldbe taken to stay ahead of these cyber adversaries? We recommend "Cyber Threat Hunting" – a proactive approach to finding vulnerabilities and threat actors on your network that may not always be found by traditional monitoring and alert tools. In short, hunting is a way of thinking and acting – assuming that the bad guys are already on our networks, then actively seeking them out and taking action to remove them from the network.
For organizations already doing the basics, such as perimeter defense and monitoring within the network and at the periphery, looking to begin a hunting program is the next step. Here are some of the obstacles they may face, as well as considerations and recommendations for each:
- Although powerful, cyber threat hunting is both time and labor intensive. In addition to a team of cyber experts needed to collect data and monitor the cyber alert tools, organizations that wish to hunt will also need a dedicated team of hunters. Hunters will need to be properly trained and should also be intimately familiar with the network. Acquiring and retaining personnel with the strong investigative skills required (and in government – security clearances and certifications) and innate curiosity can be difficult. Additionally, hunting on your network does not mean that each mission will be successful. Your hunters may go days, weeks, or even months without finding any activity. Depending on the size of the organization and its budget, the per year operational cost of a hunt team may put it out of reach for many organizations.
- Evaluate and assess to manage and prioritize your hunt. Regardless of network size, hunting can be daunting for the inexperienced hunter or the manager overseeing a team. Before you begin, evaluate and assess your network, systems and assets, and work with the appropriate stakeholders and management to assign a value to everything on your network. Performing hunt operations in places with data that isn’t important to your organization is a poor allocation of valuable resources. Instead, direct your hunters to the data you value the most and expand from there. To do that, you first need to know what’s valuable and where it’s located. Organizations should conduct a self-assessment to determine where hunting operations or campaigns should begin, based on a thorough understanding of risks, assets and value of the data and assets. The decision on where to hunt could be influenced by such factors as C&A/A&A documentation (for government systems) or mission critical systems, defined either by the organization’s leadership, users or customers. For example, hospital staff may rely on system A to track insurance claims and billing; patients may rely on life support that is on system B; and doctors may use system C to track patients from triage to discharge. In that scenario, senior leadership may decide the preservation of human life is of paramount importance and the organization then aligns cyber measures including hunt operations to protect System B.
- Collect, organize and use the data. Just as a big game hunter analyzes the topography and terrain before the actual hunt, organizations should collect, compile and analyze the data in their specific context to understand dependencies, relationships, trends and to identify anomalies. By reviewing network topologies, documentation, netflows, diagrams and engineering change requests – everything that is part of a NetOps or SecOps operation – hunters will gain a holistic and comprehensive view of how everything works in concert. This information should be fed into a knowledge management system to capture lessons learned, campaign schedules, scheduled changes to the network and other information that needs to be shared among the team — that information can then be used to better tune automated detection and prevention tools and support continuous monitoring efforts. In short, you have to have a baseline of data so you can recognize anomalies.
- Learn from your data. Gathering and recording your data, as well as the actions taken and the consequent results of those actions, is critical to long-term improvement. As hunts start to unmask previously unknown threats and remove them from your systems and network, it is critical organizations learn from those hunts. In addition to teaching fellow hunters in your organization the methods you used that were successful, you can also gain insight to what future attacks and threats may look like to better guard your organization against them.
- Question everything. With the rise of automation and use of continuous monitoring tools, many organizations may be inclined to trust the tools that are supposed to be monitoring their network. However, it’s important to trust, but verify. If you are not checking up on your enterprise tools to see if they’re missing important information, you may not be getting the complete picture. Tools or logs can be tampered with by a hacker, leaving you without a way of knowing something happened or reconstructing it after the fact. Cyber hunting can’t eliminate the possibility of such actions, but it can force you to look at your network in a different way that may illuminate unknown problems. A cyber hunter should question everything.
- Know your data limits. While it may be tempting to take on as much data as you can get your hands on, you may not need it. Recognize that as you sift around looking for that virtual needle in the haystack, as you increase your dataset, you will also increase the time you’re on the current mission. Because not every mission will yield results, you need to judiciously balance the time your team spends on a mission and weigh that against the likelihood of both exploitation and impact to operations. This may require you to create tools that can sift, parse, normalize or flag data for your team.
- Don’t forget the basics. Many organizations are quick to spend money on the latest and greatest in technology – especially if they come with claims to make them more secure or make things easier. And while that may be true for some on the upper right of the Gartner quadrant, it’s important to make sure you don’t forget to take some of the most rudimentary steps to keep your organization secure. From patching to password policies, make sure you haven’t gone through expensive lengths to secure your entire house while leaving the front door wide open. Every strategic step your organization takes to improve its security makes your hunt missions less insurmountable.
- Understand that hunting is not the silver bullet. Although powerful, hunting is not your final cyber solution. It’s just another reasonable step towards reducing the impact your organization incurs if it is successfully attacked by cyber adversaries. Each hunt is narrowly focused and resource intensive, so, it’s imperative to combine it with your other cyber tools to give your organization the best defensive stance possible. Hunting adds to your layer of defenses by giving you a proactive measure and the ability to respond to certain types of threats, but it’s still only one arrow in the quiver of your security program.
Just as cyber adversaries are constantly evolving to find ways around cyber defenses, organizations must also evolve to combat each attack. New cyber defense tactics and tools can be powerful and beneficial, but, it’s important not to forget the basics of cybersecurity – from routinely changing passwords to building and maintaining defenses at the periphery of your network and diligent monitoring.
Though strong, those defenses are reactive — actively hunting for cyber adversaries is the next step in the evolution of cyber defense. The concept of cyber threat hunting is important because, even with a strong peripheral defense, it’s likely bad actors are already on your network – and it’s better tofind them before you get a phone call from the press asking you to comment on the record for a reported breach.
Hunting represents a shift in the work of a cyber professional – rather than relying solely on alerts from monitoring tools, cyber experts must now analyze and prioritize data to anticipate where threat actors are likely to hide and find them before they attack. And, because removing one adversary doesn’t resolve every attack vector possible, hunting is a continuous, iterative process. It’s not a bulletproof vest, but it can take your organization to the next level of proactive cyber defense.
Marvin Marin is a technical program manager at NetCentrics who currently supports the US Coast Guard Cyber Command as a Computer Network Defense Manager. He was recognized as a 2016 Finalist for the EC-Council Foundation’s Chief Information Security Officer of the year.