Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/6/2016
10:30 AM
David Amsler
David Amsler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Its Always Cyber Hunting Season (& What To Do About It)

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis.

Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them. Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss.

There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America. It’s time for companies to hunt for the threat, rather than react to cybersecurity events.

While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside. If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months.

Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute. The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership.

In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics:

  • Time to Identification or time it takes to identify a compromise;
  • Time of exposure, which measures how long vulnerabilities have been left in the open to attack;
  • Dwell time, the most important of all three.

These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking.

To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission. These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software. Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused. Finally, hunters work with IT and security teams to contain the threat.

The Hunt for Cyber Hunting Talent
Monitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries. For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes. Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.  

When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need. This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity. According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional.

The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond. For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need.

The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses. This process starts with university partnerships and a willingness to identify candidates in unconventional places. Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.  

Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent.

Related Content:

 

David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company. Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SeanF206
50%
50%
SeanF206,
User Rank: Apprentice
10/6/2016 | 10:56:29 AM
Fantastic Article, will share with my industry
Thanks for taking the time to write this, very good read.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.