Understand how threat hunting is different from cyber security detection and response, and whether your business needs to start thinking about it now.
There’s no shortage of blogs and articles about cyber security (yes, we see the irony here). In fact, there’s a heck of a lot of noise about cyber security. And it’s not really all that surprising given the global tsunami of cyber attacks in the past few years (there’s also no shortage of stats about this, but here’s one just to keep us honest: ransomware attacks increased by 105% in 2021).
Cutting through the noise
Cyber security certainly seems to be on the list of business leader priorities so the noise must be having some useful impact. But what to actually do with it? In 2021, there were 1,839 “cyber security businesses” in the UK, each proclaiming to have the best, most robust, securest security in the market. But with finite finances and endless threats, how do you make sure you’re picking the right cyber defence strategy?
Barriers, border force (SOC) and threat hunting
Broadly speaking, you can think about your cyber defence strategy in three stages (you guessed it):
- Border force (SOC)
- Threat hunting
Barriers include everything that exists within your digital workplace – all the systems and devices you and your teams use to work together and interact with customers online. Think CRMs, cloud storage, intranets, video or chat channels, networks including wifi, email systems and so on… You probably have quite a lot of them.
The first thing you’d want to do as part of any cyber defence strategy is strengthen and secure your barriers. Make it more difficult for an attacker to get in. This includes things like firewalls, awareness training so your people are alert to phishing attacks, and regular maintenance to keep your systems up to date and “patched” against new found threats.
Your barrier protection also includes more of the “noisy stuff”. Early warning systems and software that sends out an alert when something suspicious is going down (think dashboards with flashing lights). This is also known as Endpoint Detection and Response or EDR and is essentially an evolution of Anti-Virus that allows you to stop and isolate machines as well as just block known threats. A bit like a fire alarm with some automatic sprinklers, this is telling you something is wrong and might even be able to tackle simple threats. But it’s a machine, it’s not going to call the fire brigade for you.
That brings us on to the border force…
Your border force is the team that responds to the barrier alerts, day and night. As you might expect, different businesses use different approaches to this. Some have an in-house team of IT security specialists whose job it is to “patrol the barriers” 365 days of the year and respond to cyber threats as they happen. Other businesses choose to outsource this kind of thing to a Security Operations Centre (SOC) who specialise in round the clock monitoring, detection and response (MDR). And, as with all things these days, there’s a hybrid model with some businesses employing a small in-house team who work alongside external experts.
Supporting your barrier defence with a border force blends the very clever, but essentially just very noisy, alerting software with a fully functioning human being (with opposable thumbs to point and shoot the fire hose). This approach is well established and offers a strong line of defence against cyber threats. But you are still very much in defence mode here, you’re still reacting to an attack.
Cyber security threat hunting – the best defence is offence
Deploying proactive threat hunting as part of your cyber security strategy means tracking down threats before they breach your barriers, and long before your border force (SOC) needs to respond.
Human threat hunters
No matter how sophisticated the security software becomes, it still falls short of the human brain. There’s an inevitable predictability about automated technology and sophisticated cyber attackers (and we know there are quite a few out there) can suss out loopholes to bypass alerts or use distraction techniques to fool the software.
So, while technology is a really important element of cyber defence, it is just one element. Your human threat hunters would also typically have high levels of security clearance and extensive experience of cyber intelligence, so they know what they’re looking for and how to find it.
A good threat hunting service also uses copious amounts of data and powerful analytics – so it’ll be supported by secure cloud infrastructure to house all the information. This involves analysing a whole load of data sources far beyond the alerts picked up by your barrier security to build up a picture of potential attacks. Bringing it all together, threat hunters will deploy cyber intelligence techniques to identify threats before they ever become a threat to your business. This involves comparing your security data sets with external market intelligence about the latest cyber threats and potential risks.
The devil is in the details. So what are these mysterious “data sources”?
- Comprehensive log data
Only a small percentage of your entire log data will actually set off an alert that your border force (SOC) would see from your barrier defence tools. But, when the full picture of your log information is combined with additional intelligence from other sources (see below) it can uncover potential threats that would have otherwise gone undetected.
- Analysis of previously investigated alerts
As we already know, cyber security tools are noisy. There’s always something pinging. And even if those threats have been investigated accurately and appropriately, something might’ve been missed. But with new intelligence, a threat hunting team can go back and review things that were seemingly normal at the time, but may now suggest something more malicious or something that has the potential to be malicious in the future (e.g. a zero-day vulnerability).
- High malicious probability actions
This is a fancy way of saying that we look particularly closely at actions from certain countries. Actions from some states, such as Russia, Iran and North Korea have a very high chance of being malicious. With extensive experience in cyber intelligence and high security clearance, a team of professional threat hunters know what they’re looking for and where to look for it.
- Unexpected protocols
This is where your threat hunters look at unexpected external communications, such as remote desktop connections in and out of the network, or an action that is irregular for the network. These types of things are usually a red flag and can help shut down threats before they get a chance to do any real damage.
Combining all of these different data sources gives them, and therefore you, much more detailed threat intelligence. This, in turn, helps you build a much better cyber defence for your business.
Is cyber threat hunting right for you?
A comprehensive cyber defence strategy takes a layered approach and combines intelligent automated technology with human experience and contextual analysis. Incorporating cyber threat hunting into your overall security strategy will inevitably make it more robust and, well, secure.
But, with everything, and part of the reason there are 1,839 cyber security businesses in the UK, everything has a price tag. It all comes down to your appetite for risk, and that of your customers.
The best way to rationalise how protected you need to be is to consider the potential impact of an attack. Calculate the cost of a breach – including total business shutdown, length of time to restore data and resume operations (for example accessing your backup data and implementing your disaster recovery plan), your brand reputation, loss of customer trust, not to mention direct financial cost of paying a ransom (the stats on this are pretty bleak, with average ransomware payments now around $170k and up as high as $3.2m – and that’s before we count the other costs listed above).
Then, consider the likelihood of a breach for your business. While we know total cyber attacks have exponentially increased, it can also be helpful to think of this in terms of your sector. Likewise, consider the controls you already have in place – is your technology infrastructure well maintained and securely designed; what tools do you already have in place; are they monitored and alerts actioned?
Finally, think about your incident response process and how prepared your business is to manage a breach. Even if this is just a tabletop exercise as part of your broader business continuity planning, there’s real value in making sure everyone knows what to do during an incident and identifying areas for improvement.
Weigh up the risk based on these factors and you’ll be in a better position to decide how secure you feel, and how secure you want to be.