Using Threat Hunting to Protect “Swiss Cheese” Security Infrastructures

As another high profile government leak hits the headlines in the wake of the Democratic National Convention (DNC), the focus on developing a more proactive security posture through threat hunting, not just remediation, has never been greater.

The DNC and the RNC have been Swiss cheese in terms of their security,” Wikileaks’ Julian Assange, told CNN’s Anderson Cooper following its latest leak. A weakness that could continue to be exploited for political gain as we head into the last stretch of the presidential election.

Firefighting Doesn’t Cut the Mustard

DNC, OPM, IRS, the list of acronymic entities who’ve been targeted by cyber attackers and whose vulnerabilities have been exposed gets longer every month. Firefighting, political or otherwise, is a costly exercise. By the time a breach has been discovered, data that impacts our national security has already been compromised. Even worse, systems may have been hijacked with untold consequences for national our national infrastructure (government, financial, public services, and so on).

But Threat Hunting Still Isn’t a Priority

But agencies and political institutions aren’t yet making threat hunting a priority, even though they want to.  According to a survey by the SANS Institute, although 86% of organizations are involved in threat hunting, albeit informally, 40% don’t have a formal threat-hunting program in place (i.e. the “act of aggressively tracking and eliminating cyber adversaries from your network as early as possible”). This is despite the absolute truth about security – that adversaries will always find a way in. That’s no to say that organizations are very clear on the benefits of threat hunting. The survey also found that:

• 52% said threat hunting had found previously undetected threats

• 74% of those who had implemented threat hunting have reduced attack surfaces

• 59% have enhanced the speed and accuracy of response using threat hunting

If It is Deployed, it’s Ad Hoc

Although organizations are reaping the rewards of threat hunting, most of it is still performed ad hoc (53%), meaning it’s not a “repeatable process” but rather driven by need and reaction: “Instead of proactively looking for the adversary using known methods, those using ad hoc processes are responding to what they see in their environment.”

There are several areas where enterprises are weak on incident detection/response, and where threat hunting can help.

But, to be effective, threat hunting is not a one-off approach. In its eBook: Cyber Threat Hunting: What Security Executives Need to Know, DLT partner, Sqrrl emphasizes that: “Hunting is a proactive and iterative approach to security. To avoid one-off, potentially ineffective ‘hunting trips,’ it’s important for your team to implement a formal cyber hunting process.”

How to Improve your Threat Hunting Efforts

So what can government organizations do to improve their threat hunting efforts? The survey data from SANS finds that, in the quest for improvement, 57% want more automated tools:

“Because many organizations initiate their hunts in reaction to anomalies and then turn the anomaly over to smart people who perform an analysis, a natural limitation exists. Therefore, utilizing customized tools and automation will improve detection and allow the limited staff to analyze more events and catch more adversaries.” SANS Institute

Automation also turns less experienced hunters into hunting experts more quickly.

Survey respondents were also willing to spend more on their threat hunting measures. But budget and tools aren’t everything. Public sector organizations need to adopt new processes, source quality threat data from their IT environment and beyond (the more data the more results you’ll find), and gain executive buy-in for an active detection strategy, instead of one that’s continuously focused on reaction.

Read more from Sqrrl on how you can use proactive threat hunting techniques to detect security threats.