(This is an excerpt from the SC Media eBook “Threat hunting essentials – How to craft an effective process.”
Threat hunting, a cybersecurity discipline where skilled human operators investigate, identify, and eliminate threats or vulnerabilities to a network, is not a new practice. But in the last couple years, many more security practitioners have joined the fight.
In 2020, only half of cybersecurity respondents to a SANS survey saw value in threat hunting, with another 30% unaware of how to even begin instituting it. But in this industry, much can change in two years.
Flash forward to today, where several factors have jolted the cybersecurity community awake. Adversarial tactics continue to rapidly evolve. The number of interactive hacks involving creative scripting and “hands-on-keyboard” tactics increased by 400% in the year following the SANS survey. The pandemic shifted a significant chunk of the labor force to remote work environments. Under this new arrangement, many companies struggled to extend existing firewall protections of the office to geographically-dispersed employees, creating the conditions for a significantly larger attack surface.
On top of this, organizations have added millions more endpoints and IoT devices to their networks. As a result, Security Operation Center (SOC) staff are under immense pressure to process ever larger volumes of data and distinguish genuine threats from network noise and false positives.
Detection and response are no longer sufficient. All evidence suggests that organizations must go on the offensive by introducing effective threat hunting programs that can anticipate and prevent increasingly sophisticated attacks.
This eBook, sponsored by Sophos, explores the essential tools and techniques of threat hunting, how to get started, and how to optimize.
Covered in this eBook:
- Threat Hunting 101: Most organizations already employ some degree of cybersecurity: encryption, network security monitoring, web vulnerability scanning, firewalls, and antivirus software. So why bring in a threat hunting team?
- Threat Hunting challenges: A lot of tools are not natively engineered to block out the latest attack tactics. They’re not looking for familiar and ordinary, they’re scanning for what’s unfamiliar or out of the ordinary.
- Threat Hunting advancements: Threat hunting has advanced even in just the last couple years. A major reason is that organizations now have an incredibly wide array of sensors and measurement tools at their disposal to inform their threat hunts.
- Five steps to do Threat Hunting effectively: Threat hunting can benefit organizations by improving security posture and overall vigilance, cultivating a culture of proactive risk management and mitigation, and adding greater visibility of the attack surface and adversary tactics. The key is to take advantage of the wide array of sensors and measurement tools at your disposal and follow the five steps for effective threat hunting.
Quotes:
“Passively waiting for obvious evidence of intrusions isn't sufficient in today's world. Threat hunting is really the act of proactively searching for signs of potential future intrusions. In cybersecurity we tend to be on our back foot, but threat hunting allows us to get on our front foot as well.” -- Matt Hickey, a Director of Sales Engineering at Sophos
“Even if you have really good tools in place – whether it be a firewall or endpoint protection – you're going to goof up. People turn off protections and add exclusions or write firewall rules that are overly permissive. They must accept the fact that they're going to make mistakes. So, the question is, how will you compensate for those mistakes when you do make them?” -- Greg Rosenberg, a Director of Sales Engineering at Sophos.
