Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/6/2016
10:30 AM
David Amsler
David Amsler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why It’s Always Cyber Hunting Season (& What To Do About It)

To stop today's most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis.

Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them. Too many organizations rely on automated tools or "magic bullet" security technologies that detect threats using known signatures, rules or malware "sandboxing" concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss.

There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America. It’s time for companies to hunt for the threat, rather than react to cybersecurity events.

While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside. If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months.

Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute. The length of time that a threat is able to remain in the system after compromise but before containment, referred to as "dwell time," is a critical metric for enterprise security teams and their senior leadership.

In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics:

  • Time to Identification or time it takes to identify a compromise;
  • Time of exposure, which measures how long vulnerabilities have been left in the open to attack;
  • Dwell time, the most important of all three.

These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking.

To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that "hunt" for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission. These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software. Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused. Finally, hunters work with IT and security teams to contain the threat.

The Hunt for Cyber Hunting Talent
Monitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries. For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes. Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.  

When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need. This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity. According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional.

The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond. For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need.

The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses. This process starts with university partnerships and a willingness to identify candidates in unconventional places. Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.  

Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent.

Related Content:

 

David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company. Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SeanF206
50%
50%
SeanF206,
User Rank: Apprentice
10/6/2016 | 10:56:29 AM
Fantastic Article, will share with my industry
Thanks for taking the time to write this, very good read.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...