WWhether it is written down or not, every
business has the goal of protecting data
or information – the lifeblood of modern
business – to reduce risk and facilitate
the establishment of trust. Trust is the
foundation of success for organisations
in both the physical and the digital world.
A transacting customer affords trust to a
business after risk, or at least perceived
risk is reduced to an acceptable level.
Matt Gangwer, Senior Director, Managed
Threat Response, Sophos
Failure to reduce risk forces customers
to look elsewhere. A 2018 study from
the National Cyber Security Alliance
revealed that 25% of SMBs filed for
bankruptcy after a data breach, and
10% went out of business entirely. The
importance of effective cybersecurity
and its ability to reduce risk and maintain
customer trust couldn’t be clearer.
Effective cybersecurity is not just about
implementing security software and
policies, it’s about being able to spot
and respond to subtle anomalies and
behaviours that could indicate an intruder
in the network. This is ‘threat hunting’.
Threat hunting
Threat hunting is an emergent, humanled
endeavour, using an iterative and
methodical process to proactively
identify threats within a network that
have evaded security controls. To
threat hunt is to acknowledge that no
system can be considered 100% secure,
that technology is imperfect and that
capable and determined adversaries
will find a way to evade multiple layers
of protection. The most determined
adversaries will test their tactics and
techniques against security tooling to
ensure they evade detection.
Prevention technologies that proactively
protect against threats markedly reduce
risk. However, the residual risk, the
threats that can evade prevention, are
often the most damaging. It is exactly
these threats that we must hunt for,
analyse and respond to. If we don’t, we
risk incidents escalating into fully fledged
data breaches and ultimately put the
future of our organisations in jeopardy.
While many organisations have already
invested in prevention capabilities,
many have yet to put major investment
FEATURE
into effective detection of latent or
missed threats and the ability to
respond to them. Threat hunting is
an activity that the modern threat
landscape necessitates and which must
be performed either by an organisation
for itself, or outsourced to a capable
third-party to perform as a service to
the organisation.
For those that are considering threat
hunting for themselves, we would like
to share a few things that are worth
considering before you start:
Data intelligence/data quality
For threat hunting to be successful,
one of the first things any team or
organisation should do is take inventory
of their data sources and what is
available to use for threat hunting. This
simple exercise will help drive the types
of threat hunting that can be performed.
Trust is the
foundation of
success for
organisations in both
the physical and the
digital world.
For instance, if you don’t have high
fidelity network telemetry, that may be an
area to exclude from your hunting scope.
Knowing what sources are available
allows for several key points right out
of the gate:
1. Time won’t be wasted performing
a hunt over a data set that doesn’t
exist. An analyst’s time is extremely
valuable, so optimising time when
hunt activities are performed
will lead to a more efficient and
successful team.
2. You can begin measuring the
success of your data. Every new
hunt should bring learnings to the
team and organisation. This doesn’t
mean finding a new APT group each
www.intelligentciso.com | Issue 27
49