IT departments around the world are taking a proactive stance on cybersecurity threats with positive results, according to a new study. McAfee released the results of a survey of 700 organizations' IT departments on how involved they are in threat hunting. The responses point to very involved.
The practice of threat hunting is a fairly new one that involves a proactive approach to tackling security threats against their organizations. Threat hunters don't merely guard against malware but against human adversaries who have the intent, capability and opportunity to inflict harm, according to a SANS Institute white paper. Threat hunting requires intensive critical thinking skills and involves levels of automation and analytics to stop threats before they happen or before they cause serious harm.
McAfee rated companies by a maturity level of zero to four, with zero indicating that organizations have only initial measures in place to detect threats and respond to incidents. A four, on the other hand, indicates high levels of data collection and analysis to identify and prevent threats.
The key findings of this study were that organizations with a higher maturity level were more successful at investigating threats, with 71 percent of organizations with a level four maturity closing incidents in less than a week.
What Makes a Skilled Threat Hunter?
The study indicated that skilled threat hunters utilize automated processes to gather and analyze data so they can spend time and resources on other tasks. Many tasks that security experts do manually, such as sandboxing suspected code, endpoint detection/response and user behavior analysis, can now be automated. And the more threat hunters automate, the more data they can gather and analyze.
Another aspect of automation described by the study has threat hunters acting like white-blood cells, where not only is malware and malicious code recognized, but the techniques used by adversaries can be identified and deterred. The steps that were used to successfully detect and deal with threats can be automated, helping ensure that an adversary's same tricks won't work twice.
Data Is Your Friend
Threat intelligence and how organizations use it is also what makes them successful at repelling threats. Indicators of compromise (IOC) reports are an essential tool, but high-ranking threat hunters use IOCs to validate their own findings through their own research and don't solely rely on them.
Tools Don't Make the Hunter
Nearly all threat hunters are using the latest and most sophisticated tools to combat threats. However, lower-rated organizations using the same tools as higher-rated ones don't have the same success rate. The study finds that even the best tools don't equate to more success unless IT departments change their processes for threat hunting. Giving security analysts a new tool like sandboxing or behavior analysis won't help them track down threats if they don't rearrange the way they tackle problems.
Know Thy Enemy
Even with automated processes and the latest and greatest technology, without critical thinking skills, threats will continue to grow and slip past your defenses.
Good threat hunters understand that behind every threat is a human with their own motivation, tactics and procedures for reaching their goal, said Ismael Valenzuela, principal engineer of threat hunting and security analytics at McAfee, to Business News Daily. Understanding their tactics is key to preventing them from harming your organization.
The McAfee study characterizes the confrontation between threat hunters and adversaries as a continuous cycle of observe, orient, decide and act (OODA). Skilled threat hunters understand that adversaries work on this same cycle. Their job is to disrupt their OODA while taking measures to defend their own cycle.
Threat hunting is an emerging and growing field in cybersecurity that all organizations should become proficient in. Low-maturity companies begin by hiring specialists to act as threat hunters, while high-maturity organizations continually work to make their threat hunting more effective.
Hunters don't wait for alerts and threats to reveal themselves; instead, they follow clues and personal hunches to get a picture of an adversary's own procedures. When investigating suspicious activity, hunters always run on the assumption of a breach and begin tracking the threat.