In part one of our series on taking a proactive approach to cyber security, we discussed the idea of active cyber defense, its methods and ethics. Here, in part two of the post, we speak with Cynet VP Products Shai Gabay about best practices for threat hunting within the organization.
What is Threat Hunting?
Threat hunting, as most cyber professionals know, is the act of searching through data and activity to identify advanced threats which have already made their way through existing security measures and infiltrated into the organizational network. Depending on which research you look at, statistics show that anywhere from 40-85% of organizations today employ some form of threat hunting within their networks. Obviously, taking the prevention only approach is already a thing of the past, so what does an organization need to keep in mind as they create their threat hunting plan? Shai Gabay weighs in:
Tip 1: Be smart about the intelligence you use and how you use it
First, you need to smartly ingest threat intelligence. There are so many types of data that you can use, but the issue is to ingest smart alerts and collect the right feeds. Then you need to consider what to do with them in order to be able to measure yourself and see that the feeds you are receiving are efficient, accurate and relevant.
Tip 2: Join the right communities
You need be in the right communities because those are the places that you find a lot of knowledge about types of attack techniques. This information can really help you begin threat hunting. You want to be able to scan for different attack techniques to try to find them in your network. And even if you don’t find them it doesn’t mean that they won’t exist in the future. So you want to create some sort of policy based on that, or even create scheduled scans.
Tip 3: You need full visibility to get the bigger picture
It is crucial to be able to understand the bigger picture – if you see a technique that could be malicious it is important to understand the context of what happened before and what happened after. This can help distinguish between false positives and a true alert. Visibility is critical, you need to be able to see exactly what is going in in terms of communications, in the file, in the memory and in other areas which you need to be able to access and search.
Tip 4: Threat intelligence helps you achieve full visibility
The best way to approach achieving full visibility is to combine your efforts with threat intelligence. Threat intelligence is something that can help you use the unknown and to make it more known. And this lets you achieve more comprehensive detection.
Tip 5: Look for suspicious activity across all areas of the internal network
Always look for abnormal activity – it can be from the user perspective, the endpoint, the files, or the network. Then combine all of them together – it can create the context to help you decide what really happened.
Tip 6: Remediate, investigate, and create a policy
Once you find something that is truly suspicious, you need to be able to remediate it, to investigate it, and to create a policy and an alert for next time, so that abnormal activity will be automatically detected.