How Do You Know Your System is Secure?
Proactive threat hunting leverages tools, data, and people for better security outcomes
By Andrew Brooks, VP of Information Security
Organizations usually address security threats in one of three ways: proactively, reactively, and sometimes not at all (excluding formal evaluation frameworks, such as Building Security in Maturity Model [BSIMM]).
In organizations with no security program, the ability to detect and respond to threats is non-existent. Absent a security program, these organizations are reliant on external and often unrelated entities to notify them of a security incident in their environment.
With a reactive security program, companies are able to detect attacks on systems and networks, and (hopefully) respond appropriately.
In an organization with a proactive approach to security, the most mature of the three, special tools and processes are put in place so that security staff can leverage data and analytics to identify threats that are otherwise undetectable with other tools.
This combination of tools, data, and people, is known as threat hunting. For organizations outsourcing services — and thus risk — to third-party vendors, make sure you are asking these vendors what technologies and approaches they use for proactive threat hunting to ensure your constituent data stays secure.
Humans: Far From Obsolete!
The easiest way to define threat hunting is as a tool-assisted activity led by humans. Threat hunting is designed to augment things security products cannot do alone. The human component of these processes is arguably the most important.
People can look at event data in a given context and determine whether or not behavior or event data is suspicious. People can also leverage large datasets to build out custom detection mechanisms that are unique to each company or environment.
Traditionally, incident response programs were predicated on waiting for something bad to happen, for that bad thing to be conveyed to the security team, and thus begins the incident response process. Because threat hunting is proactive, rather than waiting to be informed of an incident, threat hunters can interrogate data and look for anomalies, such as unusual usernames, anomalous DNS activity, process names, network communications, and much more.
As security staff investigates anomalous events, they can escalate and prioritize the data as needed. In some cases, anomalous data can be reduced to an improperly configured network device or application. But in other situations, threat hunting may identify advanced attackers actively exploiting your network and systems.
Using Tools for Threat Hunting
The security tools market has always tried to keep with industry trends, and threat hunting is no different. There are dozens of established and emergent vendors that position their products or services to solve threat hunting for organizations of all sizes and verticals. Beyond the product and tooling considerations, when building a threat hunting program, consider how adopting this practice can help you have more confidence in your security posture.
If you’re asking yourself, “where do I start,” I would strongly recommend reviewing the MITRE ATT&CK framework. The MITRE ATT&CK framework can help you start identifying attacker behaviors and help you develop threat hunting tactics specific to your environment. The adversary tactics described in ATT&CK can also help you evaluate tools as you continue to develop your program and capabilities.
Threat Hunting in the Public Sector
As to why threat hunting is important to CityBase, we are all citizens and consumers of municipal technology. As government agencies outsource risk to third parties, it is in everyone’s best interest to ensure that governments are partnering with secure vendors.