Vulnerability assessments and penetration testing may uncover areas where hackers can break in, but what if they are already there? Cyber threat hunting is a proactive strategy to identify if anyone is already on your network versus waiting for an actual breach to occur. Most breaches occur weeks or even months after the attacker gets a foothold on the network, so if you can find them before they unleash their payload on your environment, you can potentially save your institution time, money, and reputational damage.
Proactive vs. Reactive
It all starts with having an understanding of what is normal versus abnormal activity on your network. Many of the advanced endpoint solutions can help towards identifying anomalous activity. Additionally, you also need to have a fully integrated security information and event management (SIEM) system to correlate data across all systems on the network. Once the endpoint solution is in place, you need to establish a baseline. You need to know what type of activity is expected and normal. This information correlated across all systems on the network will help to identify anomalies and potential cyber security threats.
Identifying Anomalies
Now that you have identified your normal baseline and anomalies on the network, you need to start thinking like an attacker. Now, you can begin the cyber threat hunting process. This starts with mapping out attacker techniques and tactics to allow you to see what a potential attacker may do to exploit your network. This should include looking into the anomalous activity, identifying increased traffic between machines, reviewing account lockout information, and analyzing off-hour activity.
Mitigating Cyber Threats
Bam! You found something on your network that should not be there and fortunately, it is still in a sleep mode. First step is to enact your incident response plan. Success! You isolated the threat, deployed countermeasures and stopped it from performing any attacks. Unfortunately, that doesn’t mean you’re done. You need to continually monitor your network and keep hunting.
By employing cyber threat hunting tools, you are taking steps to reduce the potential for reputational and financial damage stemming from a future breach. This proactive approach uses the procedures that you may already have to identify areas of anomalies. Once you have identified the possibility, you can take action to remedy it and further attacks to your systems. Stay safe and happy hunting!
