It may be tempting to create specialized hunt teams because they pinpoint problem areas and find the attacks, but that shouldn't be at the expense of basic IT administration, network monitoring, and defense-in-depth strategy. Cyberhunting starts with the assumption "I have been breached" and looks for evidence to support that assumption, and dedicated incident response and forensics kick in when that evidence has been found and the damage has to be contained. They are very distinct skill sets, and both are necessary. Defenders need all of these elements to work together.
Stop the cancer
Threat hunting isn't a new concept, and many organizations have already adopted some form of the practice as part of their overall security plan. In a recent SANS Institute survey, 86 percent of IT professionals said they had implemented threat hunting processes in their organizations and 75 percent claimed threat hunting had reduced their attack surface.
As with every other aspect of information security, there's a time and place for cyberhunting. Enterprises should look at the Hunting Maturity Model developed by Sqrrl Data's Bianco to judge if they are ready to begin hunting. The model defines maturity based on three factors: the quality of data collected, the tools available foraccessing and analyzing that data, and the skills of those performing the analysis. A skilled enough analyst with high-quality data can compensate for deficiencies in the toolset, but for the most part, organizations should focus on all three factors.
In order to get anywhere you must first know where you are and where you want to be," Bianco wrote in a blog post outlining the model.
Enterprises need to reduce the breach detection gap -- more than half a year to discover a breach is unacceptable. Start with the assumption that attackers are already present and keep looking until either the compromise has been found, or there's conclusive proof that your environment hasn't been compromised.
Think of the enterprise as a biological system that has been infected, and threat hunting as a way to discover how far the infection has spread and what kind of damage it is causing.
"Threat hunting is catching cancer in the early stages, before it metastasizes and kills you," Lovejoy says.
Sign up for MIS Asia eNewsletters.