To stop today’s most capable and persistent adversaries, security organizations must rely less on tools and more on human analysis.
Today’s cyber threats are attacking networks, disrupting businesses, and covertly stealing intellectual property that can only be found through one proven method: proactively hunting for them. Too many organizations rely on automated tools or “magic bullet” security technologies that detect threats using known signatures, rules or malware “sandboxing” concepts – but this is not enough to stop the most capable attackers who cause significant damage and data loss.
There are close to 400 new threats every minute in the United States alone, 70 percent of which go undetected, according to Sarbjit Nahal, head of thematic investing at Bank of America. It’s time for companies to hunt for the threat, rather than react to cybersecurity events.
While many organizations, particularly those in highly regulated industries, have been wary of allowing too many cyber personnel into their systems to monitor or detect attacks, the reality is the enemy is often already inside. If malicious code is dormant or threat actors already have legitimate remote access, they can lie unseen within the enterprise for months.
Financial firms, for example, take an average of 98 days to detect a data breach, according to the Ponemon Institute. The length of time that a threat is able to remain in the system after compromise but before containment, referred to as “dwell time,” is a critical metric for enterprise security teams and their senior leadership.
In fact, we need to change our thinking from measuring security based on quantitative measurements of alerts or rules and signatures to a qualitative approach comprised of three key metrics:
- Time to Identification or time it takes to identify a compromise;
- Time of exposure, which measures how long vulnerabilities have been left in the open to attack;
- Dwell time, the most important of all three.
These measurements are quantifiable metrics that chief information security officers (CISOs) should be concerned about and tracking.
To reduce time to identification, time of exposure and dwell time, security teams must transition to a more proactive approach by implementing methodologies that “hunt” for attackers, their behaviors and anomalies inside enterprise event sources with a clear understanding of the business’s mission. These cyber hunters, both machines and humans, search a network environment for suspicious behavior based on advanced analytics, custom content and tools, contextualized threat intelligence, and visibility from monitoring software. Then, after the hunters detect the threats, they can reverse engineer the malware and conduct sophisticated forensic analysis to understand how it arrived on each host, its capabilities, both observed and dormant, and the damage or exposure it caused. Finally, hunters work with IT and security teams to contain the threat.
The Hunt for Cyber Hunting Talent
Monitoring and remediation tools fail time and again to detect threats deemed critical or high, which include persistent attacks from experienced actors, such as nation states. Only human analysts with the assistance of sophisticated tools can recognize, respond and contain today’s adversaries. For example, during a recent assessment of a Fortune 500 hedge fund, our hunters found code lurking inside the system that had been there for 10 months in only twelve minutes. Similarly, a healthcare provider found malware embedded in its systems for 14 months that had been exfiltrating data from the network. Well-known industry tools failed to catch it, but hunters identified the infection almost immediately.
When discussing where to find the expertise necessary to perform hunting, there is an industry-wide mantra that the talent pool is shallow and organizations can’t find or afford the experts they need. This isn’t surprising as many young adults are still unaware of the career opportunities in cybersecurity. According to a survey conducted last fall by Raytheon and the National CyberSecurity Alliance, 46% of young adults ages 18-26 said that cybersecurity programs and activities were not available to them in school and 79% said they have never spoken to a practicing cybersecurity professional.
The majority of young adults entering the workforce today are unprepared for cyber careers, so organizations must implement intensive training about how to detect threats and how to respond. For threat hunting to be effective it requires both employee training and education, as well as machine learning capabilities to identify anomalies or unusual behavior rather than simple detection of a known threat like malware. One of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation of bad actors already within their network. Proactive threat hunting fills this need.
The security industry needs to make a commitment to train and mentor the next generation of cyber hunters through mandatory hands-on classroom learning, mentoring, and online courses. This process starts with university partnerships and a willingness to identify candidates in unconventional places. Cyber hunting requires great talent, but aptitude and attitude, combined with effective training can trump industry veterans who often must unlearn poor or outdated practices.
Organizational leaders used to view security operations as a compliance checkbox and a reactive task. Reactive systems that recognize known threats do not detect the most damaging adversaries, who can only be caught by hunting for behaviors and stealthy attackers that a lot of times look like normal users or systems. Organizations must shift strategy to rely less on tools and more on talent.
David Amsler is founder of Foreground Security, which was recently acquired by Raytheon Company. Given his level of expertise and knowledge, Amsler has taught more than 350 information security courses to top government organizations, including the Internal Revenue Service, … View Full Bio