Time to load up for the threat-hunting season
While everyone is away cyber criminals can play, so ensure you check for signs of malicious activity.
The holiday period means time off for employees and for cyber security departments, that often means skeleton crews working shorter hours and responding to high-priority alerts.
Threat actors know this, and often use these periods to sneak malware into a system and leave it latent until the right moment.
This infiltration can easily go unnoticed over the new year, and the malicious code sitting within the company system may not be exploited for several months. By the time the threat actor is ready to launch their attack, they have everything they need in place to steal data, transfer money to their own accounts, or wreak havoc.
Post-holiday threat-hunting activities can help businesses find these pieces of malware and safely remove them from the network. Threat-hunting activities were recently legislated in Singapore, and we believe it is advisable for all Australian businesses to conduct them.
What is threat hunting?
Threat hunting is a proactive effort to search for signs of malicious activities that have evaded security defences within an organisation. Threat hunters are able to uncover hidden threats that may be waiting to execute an attack or find events that have already compromised the environment.
Effective threat hunting helps uncover hidden advanced persistent threats (APTs), cyber crime, policy misuse, insider threats, poor security practises and environmental vulnerabilities. The activity aims to identify attacks that slipped past your defensive shield.
Let there be logs
In most countries in the Asia-Pacific, legislation mandates that organisations should collect and store logs of all attempts to access the company’s network and digital assets, as well as the number of network connection attempts from both within and outside the company. Best practise for cyber security hygiene also encourages organisations to collect and store firewall logs, domain name system logs, web proxy logs, and network-based intrusion prevention and detection system logs.
The logs should use a consistent time source, be protected against unauthorised access, and be stored for a minimum of 12 months. Moreover, it is best if the logs are monitored by a log retention policy with a log file structure that facilitates analysis. These logs should be available for any threat-hunting investigation.
While some legislations in the region only require a threat hunt or a compromise assessment every year or so, organisations would be well served to complete a threat-hunting exercise annually following the holidays. Any cyber security risks that are identified during the threat-hunting exercise should be included in cyber security risk assessments to ensure that any found threats are assessed, mitigated and tracked. Additionally, they should investigate those threats to determine whether any incident took place in the past.
Detect and survive
Threat hunting sounds fine in theory but can be challenging in practise, especially when it involves different security technologies and disparate log data. It’s why extended detection and response vendors are able to offer a much more efficient solution. Collected endpoint data includes all network connections, file events, and registry events. This creates a rich hunting ground to proactively identify hidden threats, risks, and vulnerabilities and empower your team to mitigate risks that degrade your security posture proactively.
However, even with access to this vast collection of data, without automation and AI it is still challenging to hunt effectively without a full-time team of threat intelligence experts, malware reverse engineers, hunters, and investigators. For this reason, cyber security vendors offer a threat hunting/compromise assessment service. For example, some cyber security vendors provide expert hunters that will leverage their proprietary methodology and intelligence enrichment to hunt your global environment and provide a prioritised roadmap of identified threats and risks with mitigation guidance for every finding.
Peace of mind
Threat hunting allows security teams to proactively get ahead of the latest threats by hunting for malicious activity. It helps to improve a company’s true risk posture and prevent any number of cyber incidents from progressing into full-blown attacks. When threat-hunting activities are complete, they provide confidence and peace of mind to security teams who no longer need to worry about latent threats hiding within the network.
Threat hunting is an important element in building up an organisation’s security posture. However, for organisations to stay safe, they need to ensure they have the right tools and processes in place to conduct the hunt. Otherwise, they may pass over a threat that is hiding in plain sight.
Niranjan Jayanand is WatchTower threat hunting manager, Asia Pacific, at SentinelOne.