The cyber community has more tools and techniques than any time in history, and yet cyber-attacks are still successful.
That’s according to a new Bricata white paper we just published called Natural Network Threat Hunting Emerging as One Key to Modern Cybersecurity. It’s not just that these attacks are succeeding, it’s that they are happening “in increasingly large numbers.”
According to the paper:
“The latest Verizon Breach Investigations Report hit another high in 2017, tracking 42,068 cyber incidents that resulted in 1,935 breaches at monitored organizations. The same was true of the annual Identity Theft Resource Center Year End Data Breach Review, which saw an uptick of 44.7 percent in the number of tracked breaches over the 2016 numbers.”
Why is this happening? Simply stated it’s because even while the tools and techniques the community currently has are effective in defending against most attacks, a small percentage are savvy enough to elude those counter-measures.
Sophisticated attacks are managed by sophisticated threat actors. This is the catalyst behind threat hunting – the idea that in a zero-trust environment threats are already inside the network waiting for the perfect moment to initiate an attack. To find these hidden threats, security analysts use a combination of threat intel, data and intuition to examine areas of interest.
The Key Trends Shaping Threat Hunting Technologies
No security operation center (SOC) can simply wake up and go threat hunting one morning. This is because many are too busy trying to put out fires. This just goes to show there is a range of factors – across people, process and technology – shaping threat hunting. Here are some of the key trends that we have observed in the market:
1) The security talent shortage persists
As the white paper puts it, there’s clearly a “lack of people.” The paper cites some research:
“Estimates put the shortfall at anywhere between 1.8 million to 3.5 million open cybersecurity positions in the next five years.”
The shortage isn’t just affecting business but government too which competes at scale for the same talent. The government is getting creative in its quest to overcome the talent shortage:
“According to a recent report by The Pew Charitable Trusts, both federal and state governments are turning to retired military personnel, students and other non-traditional workers to fill cybersecurity seats, then spending a lot of money on training them how to respond to threats.”
Technology has long promised people they can do more with less, but it’s an imperative in the era of threat hunting.
2) There’s a skills shortage in cybersecurity too
The paper points out that one of the biggest problems in security isn’t technology, it’s training:
“What good are 1,000 hammers if you only have two or three people to swing them?”
Some of the smartest security leaders in the space have found a way to turn threat hunting into a professional development and mentoring program that advances the skills of junior analysts.
Technology for threat hunting must be familiar to the junior analysts, without sacrificing the capabilities senior analysts need.
3) The growing complexity of IT environments
Networks and IT environments have always been a growing mix of machines, routers and cables. Yet the complexity is growing faster because of developments like cloud, BYOD, IoT and others.
The risks are real: making the leap from an internet-enabled refrigerator of a home-based worker to their laptop – and then onto the corporate network by way of VPN isn’t science fiction anymore:
“Every time a new application, technology, client, server, cloud, device or almost anything else is added to a network, the number of potential vulnerabilities that an adversary could use to successfully attack it grows.”
Threat hunting technologies must be engineered with the flexibility to adjust to new vectors of attack and wider surface areas.
Download the complete white paper
Natural Network Threat Hunting Emerging as One Key to Modern Cybersecurity
To better understand network threat hunting
4) Threats will continue to evolve
Bad actors get a vote in the cybersecurity battle and we saw the evolution with the likes of Petya and WannaCry. The lateral movement we saw in 2017, was quickly adapted for ransomware attacks.
As the paper notes:
“One only needs to look as far back as March 2018 to see the dangers of lateral movement, where a new strain of ransomware brought the entire city of Atlanta to its knees. The initial infection was eventually detected and cleaned, but not before it was able to jump to many other clients in Atlanta’s municipal network.”
This threat is of special concern because of the application to infrastructure:
“In the United States, critical infrastructure in the form of power plants were recently breached by suspected Russian hacker groups. Instead of using ransomware to try and exploit money, the power plant attackers “conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems” according to a report from the United States Computer Emergency Readiness Team (US-CERT).”
Why is this such a concern? The paper points out:
“At a deeper level, the process that most cybersecurity teams use to handle security alerts is inadequate against advanced threats capable of lateral movement. Cleaning one infected endpoint is no longer enough, because the threat actor has likely already moved laterally within the network, elevated their privileges and secured a foothold in many other systems. Most cybersecurity programs are blind to this type of lateral movement and weren’t designed to perform threat hunting processes needed to uncover the most advanced attacks.”
Threat hunting tools must like a Swiss Army Knife and fulfill multiple roles. They need to both support the search for threats – and also be able to act and stop attacks from spreading.
5) Existing technologies lack workflow
Anyone might be able to build a house with some wood, a hammer and nails, but it might not be a very good one. Good houses are often built using a blueprint that serves as a builder’s guide. Security technologies need to have something similar and facilitate a natural flow to the work and bring some structure to the day-to-day chaos.
The report notes:
“Complex tools and workflow: many of the advanced tools and tactics needed to defend networks like data analysis techniques, or building investigative processes into workflows, are mostly non-existent. Those processes are the foundation of threat hunting, and are sorely needed in many organizations, yet seemingly unobtainable.”
Threat hunting technologies need to support directed activities – and provide organizations with the flexibility to design or redesign their own.
6) Too many tools that don’t talk to each other
Security organizations are realizing it’s not useful to have a dozen different tools firing off alerts. Analysts need to be able to correlate various alerts to find a single source of truth:
“At the highest level, there are too many defensive tools reporting into too few people. The tools are not normally integrated, requiring the few IT people that an organization can deploy undertake multiple training sessions to simply learn their complex interfaces.”
Security analytics fell short of this goal and in the process has given way to threat hunting; data and analytics are the basis of threat hunting.
7) Breaches cost a lot of money and much more
As the paper notes, “beyond the obvious security problems, or any ransom demanded by an attacker, is the fact that every breach costs organizations a lot of money.”
It cites a study by the Poneman Institute that “puts the average cost of a security breach in 2017 at well over a million dollars for many large enterprises, and a hundred thousand or more for small and medium-sized businesses.”
As we noted in a roundup of cybersecurity statistics in 2017, “the cost of a cybersecurity breach is an estimated $3.62 million globally. In the U.S. the cost of a breach is nearly double that at an estimated $7.35 million.”
The kicker, according to the white paper:
“That estimate does not include all the many intangible costs such as damage to brand reputation and loss of confidence, or the long-term impact on customers from the theft of personally identifiable information, or the risk of identity theft, financial fraud and other secondary crimes.”
* * *
The white paper closes by noting, “Without a doubt, networks can’t abandon their baseline protections.”
“Firewalls, endpoint protection software and even traditional anti-virus tools can all work to eliminate known or less advanced threats, sometimes automatically, so there is no reason not to employ them. Slightly more advanced defenses can center around IPS/IDS systems, which can make an IT worker’s daily cybersecurity tasks a lot more effective.”
You can learn more by downloading the complete white paper here: Natural Network Threat Hunting Emerging as One Key to Modern Cybersecurity.
If you enjoyed this post, you might also like:
Threat Hunting is an Imperative Despite Challenges in Definitions, Data and Skills