In today’s cybersecurity environment—with new types of incidents and threat vectors constantly emerging—organizations can’t afford to sit back and wait to be attacked. They need to be proactive and on the offensive when it comes to defending their networks, systems, and data.
It’s important to understand that launching an offensive cybersecurity strategy does not mean abandoning traditional defensive measures such as deploying firewalls, intrusion detection systems (IDS), anti-malware software, patch management, security information and event management (SIEM), and other such tools.
Going on the offensive with cybersecurity involves taking extra steps to preemptively identify weaknesses before bad actors can take advantage of them. It means thinking like they do and anticipating their moves. While the idea of taking a proactive approach to security is not new, it has taken on greater significance given the level of risk so many organizations face today.
Threat hunting strategy
One of the most effective ways to be proactive with security is to deploy a threat-hunting strategy. Cyber threat hunting is a proactive defense initiative in which security teams search through their networks to find and isolate advanced threats that evade existing security tools.
Whereas traditional solutions such as firewalls and IDS generally involve investigating evidence-based data after an organization has received a warning of a possible threat, threat hunting means going out to look for threats before they even materialize.
Gain visibility
Several key components make up the foundation of a strong threat-hunting program. The first is the ability to maintain a complete, real-time picture of the organization’s environment so that threats have no place in which to hide. If the security team is not able to see the threats within their organization’s environment, how can it take the necessary steps to stop them?
Having the kind of visibility that’s needed can be a challenge for many organizations. The typical IT infrastructure today is made up of diverse, dynamic, and distributed endpoints that create a complex environment in which threat vectors can easily stay out of sight for weeks or even months.
That’s why an organization needs technology that allows it to locate each endpoint in its environment and know if it’s local, remote or in the cloud; identify active users, network connections, and other data for each of the endpoints; visualize lateral movement paths attackers can traverse to access valuable targets; and verify whether policies are set on each of the endpoints so they can identify any gaps.
Proactively hunt for threats
The second key component of threat hunting is the ability to proactively hunt for known or unknown threats across the environment within a matter of seconds. Security teams need to know if there are active threats already in the environment.
They need to be able to search for new, unknown threats that signature-based endpoint tools miss; hunt for threats directly on endpoints, rather than through partial logs; investigate individual endpoints as well as the entire environment within minutes without creating a strain on network performance; and determine the root causes of any incidents experienced on any endpoint devices within the environment.
Remediating threats
The third foundational component of threat hunting is the ability to respond to and resolve any threats that the security team finds within the same unified platform. Finding a threat is not enough—it has to be obliterated.
A threat-hunting solution should enable security teams to easily shift from threat hunting to response by using a single dataset and platform; quickly applying defensive controls to endpoints during an incident; learning from incidents and, through this knowledge, hardening the environment to prevent similar attacks,and streamlining policy management to keep endpoints in a secure state at all times.
What to look for in a threat-hunting solution
A key factor to look for in a threat-hunting solution is the ability to use statistical analyses to better understand whether particular incidents are notable. That can only happen when a system can enrich data telemetry in real time, at scale, and in constantly changing situations.
Security teams can leverage every log source, piece of telemetry, and bit of endpoint metadata and traffic flow in an aggregated manner to get a clear understanding of what’s going on. Threat actors will not be able to get into an organization’s environment completely undetected. It’s only a matter of whether the threat-hunting team is leveraging the right data to track them down.
It’s important for security hunting teams to have high-confidence threat intelligence and to follow the right feeds. While enriching alerts with real-time intelligence is not always easy, it’s vital for success. Teams need to work with trusted sources of data and must be able to filter the data to reduce false positives as well as false negatives.
In addition to threat hunting, organizations can leverage services such as penetration testing and threat intelligence. With penetration testing, an organization hires a service provider to launch a simulated attack against its networks and systems to evaluate security.
Such tests identify weaknesses that might enable unauthorized actors to gain access to the organization’s data. Based on the results, the security team can make any needed enhancements to address the vulnerabilities.
Cyber threat intelligence is any information about threats and threat actors that is intended to help companies mitigate potential attacks in cyberspace. Sources of the information might include open-source intelligence, social media, device log files, and others.
Over the past few years, threat intelligence has become an important component of cybersecurity strategies, because it helps organizations be more proactive in their approach and determine which threats represent the greatest risks.
By being proactive about security, organizations can be out in front of the ever-expanding threat landscape. They can help to ensure that they’re not just waiting impassively for attacks to come, but taking initiatives to stop bad actors before they can act.
Learn how a converged endpoint management platform can help CIOs keep pace with tomorrow’s threats. Check out this eBook, The cybersecurity fail-safe: Converged Endpoint Management.
Security