Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/6/2016
10:30 AM
David Amsler
David Amsler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Its Always Cyber Hunting Season (& What To Do About It)

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis.

Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them. Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss.

There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America. It’s time for companies to hunt for the threat, rather than react to cybersecurity events.

While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside. If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months.

Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute. The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership.

In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics:

  • Time to Identification or time it takes to identify a compromise;
  • Time of exposure, which measures how long vulnerabilities have been left in the open to attack;
  • Dwell time, the most important of all three.

These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking.

To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission. These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software. Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused. Finally, hunters work with IT and security teams to contain the threat.

The Hunt for Cyber Hunting Talent
Monitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries. For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes. Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.  

When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need. This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity. According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional.

The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond. For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need.

The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses. This process starts with university partnerships and a willingness to identify candidates in unconventional places. Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.  

Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent.

Related Content:

 

David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company. Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SeanF206
50%
50%
SeanF206,
User Rank: Apprentice
10/6/2016 | 10:56:29 AM
Fantastic Article, will share with my industry
Thanks for taking the time to write this, very good read.
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).