It’s clear from the last six months that the cyber threat landscape has gotten worse quickly. Hospitals are under siege from ransomware, breaches are increasingly moving to mobile devices and we’ve seen a successful attack against a public utility.
The cyber threats we face constitute a state of emergency, particularly as attackers are pooling their efforts and establishing well-funded, organized crime syndicates. We are no longer fighting lone-wolf hackers working from basements. We are fighting an aggregate of organized attackers that want one thing – our data.
Defensive security postures are important – hardening systems, segmenting networks, reducing access and creating audit trails along the way – but they are not enough to protect our critical assets against these motivated attacks. It’s time that we, as a community, begin more aggressive detection on our enterprises. It’s time we go hunting for threats and malicious activities.
“Threat hunting” is not a marketing buzzword. It’s an offensive posture and a culture that unites man and machine to go on search-and-destroy missions. It’s not even a new strategy, but over time we came to rely on technology alone for detection. This is a good thing, but we must evolve. We must bring back the human element, the hunters – real people doing the spy work and the scouring of systems necessary to find that malicious code or that piece of malware that hasn’t been detected by our technology measures.
With threat hunting, it’s critical to accept the inevitability of compromise. This means concurrently embracing the role of both fire marshal and police officer. As firefighters, we need to respond quickly when the alarm sounds, but we can also play the police officer role: out on the beat looking for crimes and getting to know the neighborhood. And, just as any good crime hunter, we should be attempting to predict what designs and activities will create unsafe environments and lead to incidents.
You’ve probably already heard “compromise is inevitable.” You might even be sick of it. But it’s all too real. So assuming the bad guys will get in, we must also realize that our technology, as advanced as it’s getting, cannot detect 100 percent of attacks. Anyone who tells you their technology can detect 100 percent of malicious activity is not telling the truth (or misunderstands their own technology). So that gap – between technology and perfection – is where threat hunting is. It’s your people going and finding what is otherwise not being found through technology and automatic alerting.
What are we hunting for?
Your humans must set out to find “bad,” but a hunting “expedition” doesn’t have to result in finding APT or malware to be considered successful. There are many potential outcomes of hunting. You’re unleashing human creativity, instinct, and analysis on data in your environment. You’re letting your team explore and find their own leads and threads to pull. You’re putting them directly in the trenches. So what’s the result if you’re not finding evil? You understand your environment better. You figure out your gaps. You see what needs more care and feeding. “Oh, that system’s logging is malfunctioning and has been for months?” Great, now you can fix it. Now you’re safer. And we all know that one of the main problems in security is deploy and decay – the lack of tuning and optimizing your technologies over time to keep up with your organic environment.
As teams hunt, they must embrace the blend of operations and intelligence, and actions must happen quickly. A lead must quickly be determined to be a waste of time or else too much time will be spent going down the wrong path. Hunting is open-ended, but there still need to be lessons learned. Whether you prefer the OODA Loop, the F3EAD system from JSOC, or the Lean Startup Methodology, these analogies to quick, less-costly learning are very applicable to hunting.
The time to hunt is now. It starts with visibility and involves your humans. And hunting is fun. Hunting allows for that creativity to flourish. So give your team that “Google 20 percent time” to hunt and then watch your detection rate improve. Take the lessons learned, feed those back into the system, and strive for continual improvement.
Ben Johnson is chief security strategist for Carbon Black. He previously worked as an intrusion engineer for the National Security Agency (NSA), where he had top secret “blue badge” security clearance. He also had a similar role as a defense contractor supporting Intelligence Community and Department of Defense (DoD) cyber efforts.