To improve the speed and accuracy of cybersecurity response, many organizations find proactive threat hunting to be valuable for training their security personnel. In fact, 91 percent of respondents to The SANS 2017 Threat Hunting Survey said their defenses have improved thanks to aggressive exercises.
Illinois, for example, recognizes threat hunting as part of a much broader effort including “proactive and deliberate cybersecurity monitoring” with “significant focus on the critical areas of cyberdefense, threat intelligence, incident response and cyberresiliency,” according to the State of Illinois Cybersecurity Strategy 2017-19.
States may find threat hunting appealing because today’s advanced attacks are more difficult to detect thanks to their low-and-slow nature, and because many security events confront defenders. Unlike traditional detection methodologies, where an organization waits for alerts, threat hunting takes a more proactive approach, identifying signs of threats, analyzing them and stopping them in their tracks. In other words, states turn to threat hunting to locate problems now instead of waiting for problems to show up in the future.
Threat hunting usually involves a combination of skilled personnel and automated tools working together. Implementing threat hunting and using it to successfully find advanced threats requires real effort, but state governments and other organizations are increasingly recognizing that the benefits make those efforts worthwhile. In the long run, state governments will find greater success in threat hunting through proper planning and by implementing pieces through a multiyear effort.
How States Can Set Up Threat Hunting Operations
On the surface, threat hunting sounds exciting, conjuring images of pursuing attackers and catching them in the act. While that does happen, threat hunting typically is a time-consuming and somewhat tedious task. A threat hunter may need to evaluate many leads before uncovering a real threat. Threat hunting as a process is also usually far more complex than many might expect.
An important first step for state and local IT professionals is to educate themselves on threat hunting: What are the benefits? What does it involve in terms of technology, labor and other resources? How effective is it? Fortunately, many resources are available to help. Once the basics of threat hunting are understood, authorities can decide if their systems are ready for it.
It’s unrealistic to expect the immediate implementation of threat hunting throughout any organization. Threat hunting requires a combination of skilled people, refined processes and advanced technologies, all of which take time and focused effort to put into place.
Turn to Automated Tools and Determine Who Will Use Them
Threat hunting requires:
- Collecting sufficiently comprehensive and accurate cybersecurity data from hosts
- Bringing together the cybersecurity data from those hosts in a centralized location
- Providing mechanisms for people and systems to review and analyze the centralized data
- Using the latest threat intelligence to understand the significance of observed events
Though it’s possible to perform threat hunting without relying on automated tools, it’s generally not cost-effective. The volume of data and the number of events to review are far too great to handle manually. State and local governments rely on threat-hunting technology to automate data collection and centralization, provide interfaces for machines and people to query and analyze, and correlate current threat-intelligence data with the observed security events.
State governments must decide whether their threat-hunting tools will be used primarily internally (by state employees and contractors) or externally (by third-party outsourcers). The skills needed to hunt for advanced threats are considerable, so it may be more cost-effective to use external hunters instead of building and maintaining all of the necessarily skills internally. IT teams can use threat-hunting services like FireEye Managed Defense, Symantec Advanced Threat Hunting and Trustwave Threat Hunting for Government in conjunction with other threat-hunting technologies.
Choose the Right Threat Hunting Products
Many products that help to automate the process are specifically designed for threat-hunting purposes, while others offer threat hunting-functions alongside other important security capabilities. Depending on the capabilities an agency already has, it may make sense to look for threat-hunting technologies that complement those capabilities or replace them altogether. Examples include:
- Carbon Black Cb Response
- CrowdStrike Falcon
- ExtraHop Reveal(x)
- FireEye family of products
- Symantec Advanced Threat Protection
When evaluating threat-hunting tools, consider the primary users — internal staff or external outsourcers. Certain technologies may be better suited than others, depending on who the primary users will be. Another important consideration is which operating systems will run the tools. Many require installing agents on each host to be monitored, so it’s important that the selected technology will work well with most of the hosts, minimizing manual efforts.