It’s easy to search for lost items where the light is better, but they wouldn’t be lost if you could see them.
I recently wrote an article for SecurityWeek on the topic of hunting threats, and it got me thinking back to an opportunity I had earlier this year. In January, I joined fellow industry experts for an (ISC)2 ThinkTank roundtable to discuss threats and how to effectively detect and respond to them.
The webinar was focused around making the shift from simply detecting threats, to proactively hunting and gathering information to enhance the investigatory process. Moderated by Brandon Dunlap, Senior Manager of Security, Risk, and Compliance at Amazon, the panel also included Dominique Killman of Crowdstrike, and Aamir Lakhani from Fortinet and FortiGuard Labs. One particular discussion point I found interesting was what happens when security teams first start down the journey of discovering, prioritizing, and eliminating threats by doing a disciplined account of their networks.
When an organization begins proactively hunting for threats, they are often surprised to discover that they knew nothing about a lot of their users’ activity.
The security team is then forced to sift through the organization’s many processes and identify the kind of user activity that needs to be corrected.
In addition, many organizations aren’t accurately aware of the chaos and complexities of their environment, or where their data is actually located within it. When doing this type of thorough network audit, corporations often find that they do not have a handle on large portions of their infrastructure. They seemed to understand their network’s structure, but in reality, their data is widely dispersed and living in several different third party locations.
In a later discussion during the (ISC)2 panel, we examined the different tools used for hunting threats. To me, the most important tool is the actual architecture of your network. The biggest wins come from arranging your network in a way that makes the data visible to you. Simplifying the environment reduces the amount of noise coming across the different observation points, and allows you to capture the information you want.
During this discussion, I compared common approaches to hunting threats to the old joke about a person who has lost their keys in a dark parking lot. It may be easier to search for your keys beneath the light of a street lamp, but that is not necessarily where you lost them. When it comes to hunting for threats, it is easy to fixate on protecting the data that you can see. However, the goal of hunting is to make sure you are not just responding to known incidents, but gathering information about the unknown and establishing new alerts to protect data from threats that you may not have been looking for.
When hunting for threats, you need to ask questions like, “How can we be breached?” and “Where does our data live, and how does it move around?” These types of questions can help you identify your vulnerabilities. Most of the big breaches in the news are delivered through email on a personal laptop: the endpoint that can be used anywhere and is particularly difficult to monitor. Recognizing these vulnerable endpoints helps us understand what areas we need to shed some light on and focus our security efforts around. Synchronizing security, simplifying the environment, and identifying vulnerabilities are vital steps in adapting to the threat landscape.