Reactive vs Proactive: Hunting for Threats with Targeted Cyber Threat Intelligence

The sophistication of hackers and the number of malware threats have increased over the last few years, with security teams grappling to stay ahead of the curve to protect their organizations.

According to a Ponemon report, the average time to detect a breach is 206 days, and another 73 days to contain it. Interestingly, a breach lifecycle of more than 200 days is 37% more expensive than a breach lifecycle that is less than 200 days ($4.56 million vs $3.34 million). The Retail, Finance, and Entertainment industries are among the top 5 industries with the longest mean time to identify and contain breaches.

The saying, “time is money” truly applies to breaches, and when an attack occurs, the clock starts ticking. So why not be proactive instead of taking a reactive approach?

Reactive vs Proactive

Making use of threat intelligence is a pivotal difference between being reactive and proactive. According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Although threat intelligence is a critical step, for a proactive approach to work efficiently and effectively, every organization needs to differentiate between wants and needs.

Breadth of coverage needs to be defined within the organization. When testing software, a key metric is code coverage. In proactive threat intelligence, the coverage within the organization’s network and software applications needs to be quantified as a defined scope.

Depth and accuracy are also part of the scope to be defined. Threat intelligence solutions and services can provide an avalanche of information to the point where it loses its value. Detecting indicators of attack and responding to them is key. But some indicators have more value than others; for example, IP addresses compared to TTPs. Being able to define the breadth of scope and analyze in-depth using more valuable indicators will provide better accuracy.

Ability to execute is an important quality in a threat intelligence platform. The solution should have the service capabilities, quality, and feature sets to meet the organization’s objectives. When it comes to threat hunting, the human element is a critical component. Having a team of experts to manage and analyze systems and data is really what makes threat intelligence valuable. And a managed service provider can marry technology and the human factors together most effectively.

Extensibility allows for the addition of new features and capabilities. This can improve flexibility to create complex profiles of different attack groups. The trade-off here is that it requires more administrative attention to the solution.

Industry Specialization is an essential consideration, as every industry faces unique challenges. For example, retailers would want to focus on payment card skimming and credential theft, while an increasingly common attack on the healthcare industry is ransomware.

Advanced Threat Hunting

The proactive approach to secure your organization’s systems is building upon threat intelligence data, with threat hunting. Threat hunting is the process of actively looking for signs of malicious activity within enterprise networks, with no prior knowledge of those signs. It can uncover threats on your network without signatures or known indicators of compromise (IOCs). The following five elements of threat hunting make it a more effective process.

Threat Hunting Tools

Data is an essential item in threat hunting, such as logs from network devices, databases, endpoints, and security tools. Correlating this data into a SIEM is a big time saver. A threat hunter also needs to understand the baseline behavior of the network’s traffic to spot abnormalities more easily. Incorporating these things with threat intelligence are the fundamental starting point to begin a hunt.

Building a Hunt Hypothesis

Building a hypothesis starts with asking some questions. High-level questions and prioritized intelligence requirements (PIR) should be answered, such as “What is a vital company asset?”, “How would someone try to access it?”, “Is there a threat hiding in the multitude of logs and alerts?”, and “Is there a match in the logs for the latest threat intelligence data?” From these questions, a hypothesis can be formed for a more effective threat hunt.

Confirming the Hypothesis with Evidence

Now the hunt begins. In addition to having patience, a threat hunter must be savvy in intelligence analysis, information security, and forensic analysis. If evidence is found that confirms the hypothesis, it’s now time to define the best course of action.

Develop Analytics

Analytics can be created to run against the target data, being careful the analytics don’t have an unacceptable false positive rate on benign events. Kristina Sisk, notes that the results can further provide leads “to understand if the suspicious behavior identified was malicious, against policy, or possible due to insecure methodologies.”

Document the Hunt

It’s best to document the hunt during as well as after the hunt concludes. Documentation should include follow up courses of action, a summary, and trending of the observations. Documentation should be shared with stakeholders such as business leadership and engage SOC teams so they can fine tune alerting capabilities.

A Time For Action

Including a proactive advanced threat hunting approach in your cybersecurity program can improve your chances of avoiding breaches, rather than waiting to react after a breach has occurred. With the average time to detect a breach over 200 days, failing to take a proactive approach can be costly financially and negatively impact brand reputation.