Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/6/2016
10:30 AM
David Amsler
David Amsler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Its Always Cyber Hunting Season (& What To Do About It)

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis.

Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them. Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss.

There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America. It’s time for companies to hunt for the threat, rather than react to cybersecurity events.

While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside. If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months.

Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute. The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership.

In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics:

  • Time to Identification or time it takes to identify a compromise;
  • Time of exposure, which measures how long vulnerabilities have been left in the open to attack;
  • Dwell time, the most important of all three.

These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking.

To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission. These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software. Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused. Finally, hunters work with IT and security teams to contain the threat.

The Hunt for Cyber Hunting Talent
Monitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries. For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes. Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.  

When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need. This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity. According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional.

The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond. For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need.

The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses. This process starts with university partnerships and a willingness to identify candidates in unconventional places. Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.  

Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent.

Related Content:

 

David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company. Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SeanF206
50%
50%
SeanF206,
User Rank: Apprentice
10/6/2016 | 10:56:29 AM
Fantastic Article, will share with my industry
Thanks for taking the time to write this, very good read.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.