As the long hot summer draws to a close, it’s time to, once again, reflect on the Cloud Security Summit Alert Logic hosted in London, which provided a welcome opportunity for the cloud security industry to take stock of where things are as it relates to the cloud security threat landscape and what we can do about it moving forward.
One of the sessions at the London Cloud Security Summit was “Let’s Go Threat Hunting”—presented by Dr. Jonny Milliken, a Threat Research Manager for Alert Logic based in our Belfast office. With a combination of unparalleled technical insight and Star Wars movie comparisons, Jonny took us inside the world of threat hunting.
Setting the threat landscape scene
This is what the cybersecurity landscape looks like: a small number of a highly skilled and talented cybersecurity professionals battling an endless horde of automated attacks. Cybersecurity is a constant battle—as soon as one cyber threat is detected and thwarted, there’s a plethora of others to contend with. Each individual cybersecurity professional can only hold out for so long. They will eventually be overwhelmed, and the cyber attackers will find their way into the infrastructure. The solution? Jonny suggests we should be better prepared, and don’t run into a drone fight with a light saber.
He also explained how analytical defense and automation is the key to success. You have to fight automation with automation—it allows security staff to match and mimic the techniques of the cyber attackers, for both known and unknown threats.
Threat Detection vs. Threat Hunting
Threat detection and threat hunting are often used interchangeably. Both threat hunting and threat detection are done by experts, with support from analytics automation generated by Cybersecurity experts. The crucial difference is that hunting identifies unknown threats, while detection deals with identifying known threats which may already be present in your network.
Preparation: It’s all in the data
Jonny placed data at the center of the story of threat hunting. The more data you have, the more likely you’ll be able to identify this unknown threat that you couldn’t possibly have known about before. Looking at log analysis or network traffic, we can identify different data sets or areas that we could consider collecting for analysis: source IP address, destination IP address, headers, user agents, hosts being targeted, URI’s and payload bodies.
He also identified the reasons why certain data sets were chosen to analyze above others. Why not just analyse all data sets? The primary reasons for narrowing the pool of data are cost, and the need to categorize and normalize various fields of data. The key to victory is not necessarily the amount of data that you acquire, but ensuring you look at the right data in the right way.
Walking in the cyber attacker’s shadow
It sounds daunting—and it is certainly a challenge—but, the conclusion Jonny drew with his presentation is one of cautious optimism, particularly for the ever-pessimistic cybersecurity industry. Threat hunting, Jonny suggests, can give you advance notice of cyber-attacks that you did not know were taking place. But, the capabilities to identify cyber-attacks are directly linked to the amount of the right data you have access to, and the sophistication of your automation investments.
While it’s impossible to stay a step ahead of the cyber criminal with threat hunting, Jonny hypothesizes that you can walk in his shadow—every time they go and do something, you can be right behind them to try and thwart them in return. That’s certainly an important part of your cloud security defense.