Organizations today need to embrace the new digital world and embrace practices such as remote working, while also being aware that this new way of business expands attack surfaces by opening new doors for hackers to exploit by working opportunistically to take advantage of this shift in global workforces.
When an enterprise starts building their infrastructure on-prem or on cloud, they invest in security controls such as DDoS prevention, Next-Gen Firewall IDS/IPS, Web Content Filtering, CASB, WAF, Anti-malware, Encryption at rest and in transit, etc. Despite the effort and large investment, serious vigilance is still required to ensure security since threats are constantly evolving.
With threat vectors evolving every day, threat landscapes cannot be viewed in silos. Organizations should consider a ubiquitous security approach which is proactive yet adaptive by adding an early stage component of threat hunting to the traditional threat detection approach. Passive threat detection is mandatory for preventing the security issues we know about; while active threat hunting utilizes the power of human expertise to fill any gaps. Combining the strengths of both is essential to have a comprehensive security platform.
Threat detection refers to the passive monitoring of security events, network threats, endpoint threats, and other forms of event data that all together provide detailed information about potential malicious events on user machines, as well as any behavioral or forensic information to aid in investigating threats. Security threat prevention controls such as Next-Gen Firewall, EDR, CASB, WAF, Anti-malware, Encryption at rest, etc. can help to block most of the known threats targeted at an organization’s network. Threat detection picks up where threat actors bypass threat prevention controls. Whereas threat hunting is a proactive approach of investigating and seeking out known and unknown threats at the earliest stages of attack, instead of relying upon a threat detection system and alerts. Threat hunters look through all present and historic collected data with the hypothesis that is available for previously undetected threats based on IOCs, threat intelligence and behavioral anomalies of a newly identified malware strain or the TTPs associated with a specific actor.
It is unrealistic to believe that your organization will never be compromised. And how would you know if you were compromised, or if your organization has vulnerabilities or misconfigurations? The typical answer is that you would not detect a compromise until you got informed by a third party that significant damage has already been caused. Zensar’s threat hunting service follows best practices and is a vital approach to detect and stop malicious intrusions and cyber threats which already exist and may be visible in the future into systems.
The objectives of threat hunting programs is to validate existing security controls and compliance; to proactively identify threats in an enterprise environment; determine policy violations and cloud misconfigurations; and discovering unauthorized software which were previously unknown. This involves hunting and detection libraries, high enough fidelity, and quality of the client’s products and services.
Threat hunting provides a better understanding of what has occurred and how to improve an organization’s threat and risk environment against similar future attacks, which can be used as input for an improved threat posture and strengthening an enterprise’s cyber threat hunting maturity model.
Zensar’s Approach for Threat Hunting
Data Collection — processed and managed centrally to provide deep insights and track record of activities in an enterprise network, proxy logs, DNS logs, firewall logs, access logs and endpoint data, system and app event logs, and server logs.
Hypothesis — includes a suspected attacker’s tactics, techniques, and procedures (TTPs) and uses threat intelligence, SIEM and vulnerability data, anomalies, environmental knowledge and experience that starts with a threat modeling process based on the objectives.
Hunting — is based on the hypothesis, indicator of compromise for the malicious activity, any intrusions, anomalous behaviour, unusual port activity or other IOC’s. The threat hunters search rapidly between metadata and enriched flow records using threat intelligence and packet level data to reach definitive conclusions.
Investigation Technology (ie: XDR) — can hunt or search deep into potentially malicious anomalies in a system or network. Hypothesis will be validated and identify threats or a false-positive. Once the threat is identified, a security incident would be raised into the ITSM tool.
Response — with automated security tools to resolve and mitigate the threats. Respective actions such as removing malware files, restoring altered or deleted files to their original state, updating firewall /IPS rules, deploying security patches, changing system configurations, fine tune rules, and alerts and use cases refinement to reduce false positives, would be taken to stop the damage and disruption caused by respective threats.
Organizations typically see 65–70% of known-known threats which can be easily mitigated/prevented through threat prevention techniques such as Firewall, IPS, etc.; 20–25% of known-unknown threats can be detected by threat detection; and the remaining >10% of unknown-unknown threats are the most difficult to detect and respond which validates why threat hunting is needed. Threat hunting does not always find signs of compromise, but it dramatically increases your visibility and understanding of your environment.
Zensar’s team of hunters shifts the perspective from the conventional way of managing security to the modern approach of being proactive and adaptive, allowing enterprises to be cyber resilient by proactive detection and maturity to gain powerful security advantage.