By Mridula Mishra, VMware Lead Security Engineer, and Craig Savage, VMware Senior Security Strategist
Malware, phishing, compromised credentials (representing one-third of breaches), outdated and unpatched systems, as well as attacks originating with the supply chain and third-party vendors have redefined the war with cybercriminals. The traditional enterprise approach to such incidents involves threat detection, a reactive model in which IT teams take action after an alert occurs. But with the proliferation of the cloud, remote workers, endless device types and other factors, simply detecting a threat is not enough anymore since, by the time proper measures are taken, it’s often too late.
This is where the new concept of threat hunting comes into play. With threat hunting, incident response teams actively seek potential issues based on activity patterns, intelligence, and even hunches. Once a threat is validated, it is then mitigated via the reactive model (see Figure 1).
Figure 1. Threat hunting methodologies fit seamlessly with the existing security infrastructure
Threats come in all shapes and sizes. So does threat hunting
Unlike traditional approaches, today there are simply too many variables for enterprises to take a one-size-fits-all to security. Threat hunting must be customized for each company’s unique requirements, especially if a multinational enterprise.
That said, there are general recommendations for effective threat hunting. Start by speculating and testing, then map the results on a threat framework. From there, ensure you consistently maintain a holistic perspective and always know the environment(s) your team is managing. And don’t forget to narrow the focus of your efforts as even the best threat hunting programs can fail if spread too thin.
Where to begin? State your intent—and always make progress
First, keep in mind that threat hunting is a progression, not a single state, which is logical given the ever-changing nature of cyberattacks on the enterprise. There are five main categories of this progression—architecture, passive defense, active defense, intelligence, and offense.
Architecture involves the planning, establishment, and upkeep of every system with security as a core component. Once the requisite architecture is in place, a passive defense is implemented. This requires adding various autonomous and semiautonomous systems for a robust defense and/or insight against threats, without the need for consistent human interaction. Concurrently, an active defense is mounted that consists of analysts monitoring, responding to, and learning from internal network adversaries.
All this data is then collected and converted into information that produces actionable intelligence. The intelligence is employed as an offense via legal countermeasures and other self-defense actions, as well as fed back into the passive and active defense process.
What actually triggers a threat hunt?
As mentioned, every enterprise has unique security needs, although bad actors seldom specialize in limited-scope threat attacks. What that means is hackers know that people are people, and the most tried-and-true methods of breaching security are typically still the best. So, while the technology may change, the targets and approaches are familiar to security personnel.
The list below, while not exhaustive, shows that many triggers have been common threats as long as the internet has existed—and cybercriminals always aim for the low-hanging fruit first (see Figure 2).
Figure 2. Common triggers for a threat hunt
Overall, the biggest threat to implementing effective threat hunting is corporate indifference, especially overcoming a “we’ve always done it this way” attitude. That’s why it’s vital to get buy-in at both the personnel level and with associated management. The next hurdle is to be realistic with potential threats and eliminate any sacred cows (“an attack like that has never happened, so we don’t need to worry”) that could result in the company being blindsided by a bad actor.
The rest flows smoothly as threat hunting easily fits in with the existing security ecosystem and, in fact, only serves to augment it.
Good luck, and happy hunting!
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or firstname.lastname@example.org to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.