Why Threat Hunting should become a standard requirement in Cyber Security
by Svenja Koch
The global IT security situation has changed drastically in the recent past. Growing corporate networks are becoming more confusing due to additional notebooks and smartphones as well as networking via the cloud and offer ever new attack surfaces for cyber criminals. At the same time, cyber threats have increased in quantity and quality. In particular, the proportion of targeted, sophisticated attacks (advanced persistent threats) continues to rise significantly worldwide. Classic, passive cyber defences are often powerless against such cyber attacks. Threat hunting, the proactive and permanent search for threats, should therefore be given a central role in the defence against cyber attacks.
In this blog entry, you will learn why ignoring threat hunting in the cyber security strategy is a major omission and must become an integral part of our security DNA.
Why we have traditional security standards
Traditional IT security standards were created to ensure the security of our IT networks. They define a set of best practices designed to ensure the integrity of our data and the hardware on which it is hosted. At the same time, however, many corporate networks still use protection mechanisms that do not take advantage of the current possibilities of modern cyber defence and are thus not up to today's attack methods. Often, decision-makers in companies are still convinced that their IT and information systems are thus secure. At the same time, they in fact rely exclusively on passive systems and protection modules such as a firewall or anti-virus software.
Passive systems such as firewalls create a deceptive feeling of security, because the logs show that unauthorised access to the IT infrastructure is actually prevented. However, these are often very general and untargeted attacks that are blocked. A particular danger, however, comes from sophisticated, planned attacks. Here, cyber criminals specifically infect systems in your network and then have direct access to compromised computers. There are many ways and means for such infiltrations - and in most cases passive protection modules such as a firewall are powerless against these attacks. Local intrusion detection systems promise a remedy here, but even these work according to predefined algorithms. On the one hand, they do not detect all attacks and on the other hand, they can become the target of a cyberattack themselves. Thus, even their use alone does not guarantee comprehensive security.
How standards address successful attacks
Many of the controls defined in corporate security standards aim to mitigate the possibility of an attack. For example, they may define how to configure the perimeter so that malicious traffic cannot find its way inside. They can focus on measures such as user training so that employees are less likely to fall for social engineering attacks. They may even focus on processes to ensure that all these layers of security are properly maintained.
However, when it comes to mitigating successful attacks, these standards do little good.
They tend to focus on three key areas:
- Anti-virus or malware control software
- Intrusion detection or prevention
- Log scanning
What all these measures have in common is that they are detection rather than validation technologies. In other words, anti-virus software attempts to detect malware when it lands on a host. It does not provide a response if the malware drop is successful. Furthermore, trusting antivirus software requires that the infected system actually runs the software. Most Macs, Linux, IoT and hardware devices operate without an antivirus solution.
Pentesting vs. threat hunting
Vulnerability scanning and pentesting are popular requirements of security standards. The PCI DSS*, for example, lists both as requirements. Control 11.2 requires quarterly vulnerability scans, while Control 11.3 requires quarterly pentesting. Both aim to identify vulnerabilities in your security structure that attackers could exploit to gain increased access.
However, what needs to be considered is the process that is implemented when a vulnerability scan or pentest finds a vulnerability. We simply patch or change the configuration so that the vulnerability is no longer accessible and move on with our day. In other words: If it is determined that a vulnerability exists and has been exposed to the Internet, PCI DSS or any other security standard does not require a deeper investigation to determine if the vulnerability has been exploited.
* Payment Card Industry Data Security Standards (PCI DSS) sets the minimum standard for data security.
Where is the vulnerability?
So if you look at existing security solutions, they usually fall into one of two categories. Either they are protection-based, meaning they focus on keeping attackers out. Firewalls, intrusion detection and two-factor authentication fall into this category. Or they are response-based and designed to be implemented as soon as we know the bad guys are on the network. Incident handling is a good example of this.
The problem is that using either of these practices exclusively leaves a huge hole in your organisation's security. If the bad guys manage to get past your protection solutions, it may be a while before you actually see them on your network. By the time you see them, they have already stolen your company's data!
The critical factor of time
The average detection time for network security breaches is currently 6 months. This means that the attackers have been on your network for about half a year, stealing your company's data, without you knowing about it. The now famous "SolarWinds compromise" is a perfect example of this. The vulnerability occurred in March and was only discovered and publicised in December.
The most amazing thing is that in most cases these security breaches are discovered by external sources! This means that you didn't even find out that your company was affected... the FBI or some other organisation had to tell you. Again, the SolarWinds breach is a perfect example because the compromise was discovered by FireEye.
Allowing such a vulnerability to go undetected on your network can have a huge impact on the willingness of companies or consumers to do business with you. The fact that many cyber insurance policies require an early attack detection tool in the company concerned in order to take out an insurance policy is a fitting example of this.
The gaping hole filled by Threat Hunting
As you can see, our traditional security standards go to great lengths to identify the layers of a secure posture, but they do very little to verify that the required controls were actually effective. For this reason, it is not surprising that many companies receive their security certificates at the very time that an active compromise has occurred. As an analogy, imagine certifying a bank as "secure" because you checked the locks and the cameras on the perimeter, but never bothered to look into the vault to see if any criminals were actively emptying all the vaults.
By actively scanning your network for threats, you are performing the ultimate validation test for your network's security. It doesn't matter if an auditor can tick all the boxes next to a list of required attestation controls. If intruders are on your systems, one or more of these controls has failed. If the goal of an audit is to verify the integrity of a network, Cyber Threat Hunting provides the ultimate confirmation of whether that goal has been met.
So if you are one of the people responsible for ensuring your organisation's IT and information security, it's time to add threat hunting to your list of cyber security requirements - if you haven't already.
With threat monitoring of your corporate network, you perform the ultimate test to check the security of your network. It doesn't matter if you have all possible security solutions in place - if intruders have infiltrated your systems, one or more of these controls will have failed and they will cause damage to your network until you finally detect them. As we know, this can take months.
If your goal is to maintain the integrity of your network, Threat Hunting provides the ultimate check that you are secure.