According to RiskIQ, "every minute, close to $858,153 is lost to cybercrime, and 1,080 people fall victim. Despite businesses' best efforts to guard against external cyberthreats, which spend up to $143,936 in 60 seconds, bad actors continue to proliferate online." That's a pretty sobering assessment of the state of cybercrime these days, and the motivation for a new breed of security professionals – the cyberthreat hunter.
Firewalls, intrusion detection and prevention systems, anti-malware packages, vulnerability scans, and the like are still a necessary part of a company's defenses. They do a great job in stopping known threats coming into the network. But what about the unknown? And what about threats that exist outside of the network?
To deal with such threats, the notion of proactively seeking out potential or looming external threats against a company is gaining traction. Cyberthreat hunting is the process of searching for advanced threats – those that are either so new or so elusive that protection technologies don't pick them up – as well as reputational threats like those on social media accounts and the dark web. Typically, this hunt involves combing through a company's network and the data collected in logs, as well as stuff outside of the firewall (like the dark web), then analyzing that information to seek out and identify threats. The goal is to sniff out threats, then prevent or block them before they can turn into full-blown attacks.
Should you DIY or use a service?
Although some aspects of threat analysis may be performed with automated tools, true threat hunting requires a good deal of human investigation as well. For example, once data is gathered, an analyst might use special tools to reveal patterns and spot trends. This could even be accomplished using pivot tables in Microsoft Excel, and usually with less upfront expense. But the problem with a lot of small businesses is, who's got the know-how and the time to do the necessary work involved?
Companies such as RiskIQ, FireEye, Digital Shadows, SecureWorks, Infoblox, Recorded Future, Carbon Black and Cylance are just some of the leaders in threat hunting. Their solutions are designed to uncover all kinds of threats, greatly reducing the time it takes to respond. Be aware, though, that threat hunting is a relatively new field that's still in flux. Solutions vary. Some companies focus solely on external, reputational-type threats such as domain infringement and online brand abuse, whereas others dig into customers' internal data to expose advanced threats that have breached perimeter defenses. Some offer both.
Key questions to ask when assessing threat-hunting vendors
The diversity of threat-hunting solutions and services makes evaluations and comparisons challenging, to say the least. With that in mind, here are some questions to ask when evaluating threat-hunting vendors:
- Does the vendor offer an automated solution, such as a self-service platform, or a consulting service?
- Does the vendor focus on external threats? Does the solution or service proactively monitor domain and brand infringement? If so, most automated solutions detect and identify external threats. Does the vendor's solution also respond to those threats? What about possible advanced threats within an environment? Make sure you understand exactly what each vendor offers.
- How long has the vendor offered threat hunting? Is the vendor's solution designed specifically for threat hunting, or is it an add-on to one of its existing solutions?
- Ask the vendor to describe data sources and types of threat indicators it uses. The industry is much more standardized than it was a few years ago, but there's still plenty of wiggle room.
- For threats within the environment, how is data gathered? Does the solution use agents, or is it agentless? Which operating systems does it support?
- Do the solution's tools integrate with your existing security systems and tools? And how does that integration occur?
- What type of reporting does the vendor offer? Find out specifically what kinds of technical reports you can you get, and ask for samples. They should be clear and easy to read. Also find out if it offers executive-level management reports that don't contain much technical detail.
- How much does the solution or service cost? Will it involve an upfront outlay, or is a subscription available? If licensing is required, ask the vendor for specific costs and how often the license must be renewed.
- Is tech support rolled into the cost of the solution or subscription, or is that a separate charge?
- Does the vendor have experience working with your type and size of company, in your industry? Find out if you can talk to a few customers in your industry to get their opinions on threat hunting. One of the main questions IT managers have about threat hunting is "do I really need it?" Bouncing questions off a company similar to your own that's already been through the evaluation process can help you make that decision.
- Does the vendor offer a trial so you can test-drive the solution on your own? If so, can you get a few hours of help for a salesperson to address your questions or walk through the solution with you?
Before you reach out to vendors, consider checking online review sites such as G2 Crowd and TrustRadius, and check for reviews on the Gartner Peer Insights site as well. Another good source of information is the Spiceworks tech community. You can find all types of IT and security-related issues addressed in that forum.
Additional reporting by Kim Lindros.