Over the last few years, an influx of high-profile industry security issues (PDF) have placed offensive tactics among the top priorities for corporations to help mitigate the risk of a potential attack. With many companies opting to continue remote and hybrid working environments, potential security risks cannot go ignored or be left to chance, and an emphasis on developing greater defensive security tactics, working in tandem with offensive security teams, is essential for identifying behaviors of potential threats and building stronger barriers against evolving challengers.
Threat hunting, in particular, has emerged as a must-have security component for companies. It encompasses the tasks of identifying patterns of threat behaviors and hunting for anomalies and changes occurring in an environment based on suspicious activity — with the goal of building defenses to combat threats.
But what makes a successful threat-hunting program? The reality is that identifying suspicious activity may not be as straightforward as it seems. It requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life.
Hunting for the Right Skills
Threat hunting requires a human touch to thoroughly review suspicious patterns and scour the environment for threats that haven't yet been identified by a company's existing security tooling and processes. It's a heavily strategic game of cat and mouse to find potential adversaries and advanced persistent threats (APTs), predict their next move, and stop them in their tracks.
A successful threat hunter needs to have a thorough understanding of their environment, the known threats their team has faced, and the ability to problem-solve and think critically about hidden avenues adversaries could take to gain access. In a way, this is the ultimate detective work, and it becomes the building blocks for designing better defensive protocols. Investing in the right people on the team and fostering a culture of open communication is essential.
To receive leads or hunt ideas, Adobe's threat-hunting team has created a messaging bot app that security teams, such as the security operations center or incident response, can use to have seamless collaboration with the hunt team. Once hunts are completed, hunt reports are shared with the cross-functional security teams and relevant stakeholders to improve the existing security posture of the organization.
The hunt team works hand-in-hand with the detection function to help improve current methods and input new data based on emerging tactics used by adversaries. They also collaborate closely with the team responsible for central operational security data to help identify gaps, misconfigurations, and bolster enrichments to help security teams utilize that data more effectively.
However, while threat hunting tends to mainly rely on manual processes, automated processes and machine learning can certainly aid in the hunting effort. Aggregated data analytics can help to quickly find anomalies in data patterns within a company's network, shortening the time teams need to spend combing through data.
At Adobe, we are building multiple UEBA (user and entity behavior analytics) pipelines using machine learning and advanced data analytics to review large volumes of log data and help us spot anomalies that indicate a user's or entity's behavior change. These anomalies are turned into hunt leads (or alerts) after further enrichment and correlation for human review and escalation when needed.
Stopping Adversaries in their Tracks
With the right team in place, security teams can begin mapping out their plan of attack and strategy to identify APTs:
- Rally behind a hypothesis of how adversaries could potentially gain access to the network
- Create a clear goal for the program (e.g., reducing time adversaries spend in the network, reduce the number of high-impact threats, etc.)
- Analyze data for anomalies and work cross-team to build new, improved defenses
Not all threat-hunting campaigns will be equally successful, so it's just as important to create a plan for tailoring threat-hunting programs as your company collects more insights on current data trends and adversaries. Be honest with your teams about what's working, what isn't, and new ways to leverage machine learning and other tools to support your goals.
When combined with offensive tactics, threat hunting is a valuable addition to your security efforts. It should be viewed as an ever-evolving strategic approach to identify potential issues, and an essential component of a successful, comprehensive security program.