Why it is Key to Invest in Proactive Threat-Hunting?By Sofía Hanna | Wed, 06/16/2021 - 13:58
You can watch the video of this presentation here.
Reacting to attacks is not enough, companies have to be proactive and look for threats and weaknesses before they can be exploited. To remain protected, companies should actively hunt and neutralize threats, said Eduardo Zamora, Country General Manager at Fortinet Mexico, during Mexico Cybersecurity Summit 2021.
Threat hunting, which is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions, is an increasingly necessary tool. “Today, the definition of threat has changed,” said Zamora. “The industry has to keep abreast of the changes that are taking place to obtain the necessary protocols to confront attackers.” To develop a comprehensive security strategy, companies need to evaluate their networks, endpoints and other infrastructure to detect and respond to threats.
Unlike traditional threat management tools like firewalls and SIEM systems, which leave security gaps, threat hunting focuses on proactive measures. “One of the basics when we consider cyberattacks is the dwell time, which represents the entire time an attacker has free reign in a system until they are eradicated.” This time period is normally measured in days, explains Zamora. In 2018, dwell time was estimated to be 204 days but was reduced to 54 days in 2019. However, this large dwell time remains a significant problem because gives an attacker an average of 54 days in which they can attack or steal information from a company, often causing a stronger attack later on.
Threat hunting reduces dwell time by identifying threats in an early stage. Unlike many other security systems, threat hunting is a strategy based on offense. “Through this strategy the hunter thinks like an attacker, gaining practical knowledge of a company’s entire cybersecurity system and knowing that protective measures to take,” said Zamora.
A key characteristic of threat hunting is that it uses deception techniques that lure both external and internal threats to decoys for automated detection and response. “It is like giving Fake News to the attackers,” said Zamora. “What would happen if cybercriminals’ techniques and tactics were used against them by using an active defense approach, rather than a reactive or passive approach?” When the attackers take the bait, they catch themselves quickly and without damage to the company. The suggestion is to make the attackers deal with false positives to waste their time and gather intelligence of the strategies they use.”
By implementing threat hunting, companies can take an active approach to predict and prevent costly data breaches, security incidents and disruptions. This will later allow them to reduce costs, increase efficiency, expand response capabilities and maximizing investments. To effectively hunt for threats, explains Zamora, a company must be prepared and ready to respond at any given moment and under any circumstances. Preparation is key because a threat hunter or team cannot operate without rules of engagement.
“By taking a proactive approach, we are actively looking for incidents, we get to know malware and variants, patterns of activity are easier to follow and we get to have a “Broken Window” response that tells clients when their security was broken,” said Zamora. He also highlights the need to use an Endpoint Protection Platform (EPP) and an Endpoint Detection and Response (EDR), which allows companies to detect risky behaviors, perform threat hunting, find root causes and control devices.
The process of threat hunting follows several stages:
- Identification and Scooping of all the systems that were compromised.
- Contained / Intelligence Developer: Discovery of how the intruders breached the network, how they are laterally moving and identifying the malware they used.
- Eradication / Remediation: Blocking of malicious IP addresses, rebuilding compromised systems and changing passwords in the enterprise.
- Recovery: Going back to the day-to-day business.
- Lessons Learned: Providing follow-up, looking for new breaches and auditing the network.
An analysis of post-incident activity is also essential as an evaluation of the Containment, Eradication and Recovery stages, it allows hunters to give recommendations and insights to prevent or contain further attacks. Threat hunting can allow companies to continuously improve of its capabilities, reduce security breaches and attempts, support faster and early detection of potential compromises and bring measurable security improvements. To remain protected companies should use threat intelligence, create an endpoint baseline, monitor the integrity of their files and use EPP, EDR and deception technologies and techniques, urged Zamora.