Threat hunting -
Finding the adversary before
damage is done

22 June 2018

Going on the hunt is probably the last thing that cyber security is about to people outside the business of protecting an enterprise’s digital domain.

Yet, being on the offensive is a strategy that is rapidly gaining ground today, as IT leaders find the added advantages of being proactive, instead of reactive in their cyber defence.

To go on a cyber threat hunt is to actively seek out the threats that may or may not be already in the network or system. This means ploughing through network logs, Windows processes and other activity records to find anomalous behaviour and picking up threats that have gone undetected.


Going Beyond Cyber Defences


The effort goes beyond penetration testing, which typically includes conducting checks on existing cyber defences to determine defence effectiveness and identify security gaps. Cyber threat hunting looks at anomalous end point and network activities by sieving through existing data and checking if a suspected threat is indeed a real one.

For example, if the cyber security team believes an insider has been exfiltrating data, it can specifically look for behaviour that may confirm such an act.

One thing to check are the tell-tale signs of someone covering his tracks, say, by masking his connection to external command-and-control servers. The clues may be gleaned from security information and event management (SIEM) logs.

This way, an enterprise can uncover hidden threats that may have avoided their edge defences and signature-based tools. These threats may be the few that escape the scrutiny of regular cyber defences, but they could still result in costly damage to one’s reputation and severely disrupt business.

According to a recent study released by Microsoft, Asia-Pacific enterprises stand to lose as much as US$1.75 trillion if they are hit by cyber attacks, which will affect jobs, reputation and even share price.


Starting the Hunt


So, how does an enterprise get started on a hunt? In an emerging field, there are many variables to consider for an exercise in cyber threat hunting. The first of which is whether to do this in-house or hire a trusted vendor.

With a shortage in cyber security expertise, it is difficult enough to hire analysts to begin with, so it is even tougher to find someone with the expertise and experience.

As a result, many enterprises may start with an exercise that uses external resources. These experts have to be well-versed not just in different security tools but also in identifying signs of a threat that others without their knowledge cannot.


Threat Hunting Augmented with Intelligence


Yet another issue is the data that has to be combed through. It may be possible to collect all that raw data manually, but it will be tough to have an analyst spend precious time seeking out a potential threat.

Some of the information collection and even analysis can be carried out by automation tools. They can help to connect the dots if an employee has been secretly using his PC to collect and exfiltrate information, say, on a USB drive.

With artificial intelligence (AI) becoming common today in many efforts in the digital enterprise, this is one area where the technology can be deployed as a force multiplier. Not only does it make the checking more efficient, it also eliminates the many false alarms that can lull a human operator into dismissing a real threat.


More Holistic and Complete Cyber defence


Like all cyber security efforts, cyber threat hunting is something that has to be carried out frequently. A one-off exercise may root out some malware that has been hidden but it will not ward off future threats unless it is constantly repeated.

It’s important that each exercise is planned carefully. It should not be run generically, like an anti-virus scan. As with any other hunt, the search here is for a specific threat that may have sparked off the interest of the cyber security team. It needs focus.

This way, the exercise gets the best chance of finding any undetected threats. It will also dovetail with the enterprise’s other cyber security efforts to offer a more holistic and complete defence against multi-dimensional threats.

For an enterprise, being proactive means it can be more confident in embracing digital technologies as it transforms its business. In this case, attack is indeed the best defence.


Speak to a StarHub representative to find out how cyber threat hunting can help protect an enterprise’s digital assets.


Follow StarHub Business on Linkedin for the latest business updates.

GDPR is coming and there's nowhere to run

Four areas of concerns to tackle before European Union's new data protection regulation sets in. 

Read more
In Cybersecurity, a battle of bots

Will 2018 shape up to be a battle of the bots as both attackers and defenders become more sophisticated?

Read more
Are enterprises ready for Singapore Cyber Security Bill?

Singapore has witnessed its fair share of cyber attacks over the past few years. With the passing of Singapore Cyber Security Bill, is it sufficient to secure the enterprises? Find out more.

Read more