SolarWinds fallout

by Mark Rowe

It’s time for threat hunting to go on the front foot, says Miles Tappin, pictured, VP of EMEA at security operations platform company ThreatConnect.

The SolarWinds hack of the software supply chain – considered the most significant and far-reaching cyber espionage operation targeting the US. government to date – could radically change the way both businesses and governments approach risk-based threat hunting.

Following the attack, leading figures in the cyber security industry have realised that a new approach to finding, understanding and quantifying risk is needed. At the beginning of this year, The Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) on the industry’s ability to support a Threat Hunting Task Management Tracking System. As the lead US federal agency for managing national cybersecurity efforts, CISA issued the RFI after a bi-partisan congressional commission succeeded in recommending a threat hunting requirement in the 2021 National Defense Authorization Act (NDAA).

Under this Act, the Defense Department has until September to determine the “feasibility, suitability, definition of, and resourcing required to establish a defence industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities.”

From Reactive to Proactive Threat Hunting

Security teams are inundated with alerts and response efforts, often making proactive security exercises like threat hunting a pipe dream. Reactive threat hunting — searching for a threat based on an alert from a detection device without knowing for sure if it is an actual threat or a false positive — has been how most organisations have approached threat hunting for the past 20 years.

Security professionals often find themselves stuck in a never-ending cycle – gathering more information, which creates more alerts, which leads to teams being overwhelmed and fatigued. Adversaries, therefore, can find opportunities by targeting businesses with an already overwhelmed defensive set-up.

Proactive threat hunting flips this script entirely. It takes a strategic, risk-based approach to more precisely define the threat landscape. A risk-based approach looks at threats most relevant to a particular organisation based on specifically identified, critical risk scenarios. For example, that could be a domain applicable to industrial control systems, finance, insurance, or a general threat to organisations based on their supply chain model.

This approach enables CISOs to understand better the threats and the adversaries they are most likely to face. A proactive approach can help security teams understand the type of activities relevant to a particular adversary, campaign or activity. From that position, they can look inwards – do we have any vulnerabilities we know a likely adversary will target? Where are our weaknesses? And how can we plug gaps and enhance our existing systems?

This move from reactive to proactive threat hunting is likely to be spurred on by significant exploits, like SolarWinds, forcing security teams worldwide to rethink radically how their teams find and assess threats.

There are significant business benefits for those organisations with a tightly integrated Threat Intelligence Platform (TIP) and Security Orchestration, Automation and Response (SOAR) platform when it comes to threat hunting.

Integrating the two can help alleviate some of the stress from the under-pressure Security Operations Centers (SOCs) and incident responders. Bringing in a SOAR enables businesses to automate a large proportion of the activities that would typically have been done manually by an analyst, by the SOC, or incident response team.

So now, instead of receiving an alert about a suspected phishing email and having an analyst take time to review it, a SOAR platform can ensure analysts are only focusing on the most significant threats to an organisation.

Some organisations employ dedicated threat hunting teams. While this may appear to be a strategic approach, the reality is they often do not have buy-in from the business leadership. And as a result, they tend to flounder. However, by using technology intelligently, businesses can start to tie together all of the teams — the SOC, incident response, the threat intel teams, and the risk teams — so that they can provide a strategic response. This frees up the cyber security team so that they go out and proactively hunt threats. And with all businesses, regardless of sector, facing an increasing number of attacks, now is the time for threat hunting to go on the front foot.

Related News

  • Interviews

    Don’t run the risk

    by Mark Rowe

    Security companies and their directors are still running the risk of sanctions by operating without a licence or in contravention of licence…

  • Interviews

    Talking to terrorists

    by Mark Rowe

    Negotiations with violent extremist groups such as Islamic State are ‘inevitable’, Tony Blair’s former Chief of Staff Jonathan Powell said at an…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing