Why human threat hunting is essential for cyber protection
Recent high-profile data breaches have shown that Australian organisations are firmly in the crosshairs of cyber adversaries. These breaches have also illustrated that – when they are hit by an intrusion – many organisations’ security measures fall short of what is required to adequately secure their data, writes Nick Lowe, a Director at CrowdStrike Falcon.
Over the past year, Australia has experienced a 33 per cent rise in large scale data breaches, according to the OAIC’s latest Notifiable Data Breaches Report.
The recent cyber attacks in Australia are examples of the high-profile breaches that have undermined consumer trust in big businesses. This is echoed by CrowdStrike’s own data which found that the volume of interactive intrusions — those that involve a hands-on-keyboard adversary – have grown by 60% year over year in the Asia Pacific region, compared to 50% growth globally.
Cyber criminals and state-nexus threat actors alike recognise the intrinsic value of data. Stolen data can be leveraged for extortion, for sale to interested third parties, for economic espionage or for intelligence collection. Due to the value of data, cyber adversaries are employing the full force of their human ingenuity to find new ways to side-step existing automated security controls.
The core mission of threat hunters is to proactively seek out these attempts to evade detection, employing that same human ingenuity to stay a step ahead of the adversary.
Security leaders need to be aware of the current state of play when it comes to data security:
- Adversaries are acutely aware of the gaps in fully-autonomous and legacy signature based security systems.
- Adversaries are abusing these gaps using novel hands-on and living-off-the-land techniques in conjunction with compromised credentials to subvert technology based controls, infiltrate organisational networks, and access sensitive data.
- Augmenting technology-based defences with elite human expertise and around-the-clock eyes on glass is the only way to keep pace with the operational tempo and evolving capabilities and techniques employed by today’s adversaries.
Human-led threat hunting provides organisations with the critical visibility and timely, actionable intelligence required to stop unknown and unseen adversaries in their tracks.
The case for human threat hunting
Intrusions motivated by data collection objectives will often be stealthy and may be drawn out over an extended period to increase the opportunity of accessing valuable data. Adversaries may go to great lengths to understand their environment and blend in with expected administrative activity.
Without proactive human-driven hunting capabilities, adversaries can remain embedded in a company’s infrastructure for months, quietly learning about the environment, syphoning off data and collecting additional login credentials to provide further means of access and to potentially expand their reach into new segments of the victim environment.
In many of these drawn out intrusions, organisations lack the comprehensive visibility and advanced detection capabilities needed to identify just how deeply embedded an adversary has become. Because of this, organisations can end up in a losing game of whack-a-mole, never able to regain full confidence that their systems and data are secure.
Threat hunting is the practice of continuously and proactively searching for signs that an adversary may have slipped past automated security controls. Threat hunters search for the patterns of behaviour associated with malicious post-exploitation activity using finely tuned statistical methods, hypothesis-driven investigations, and analysis derived from the latest threat intelligence.
For example, initial access to a victim environment is frequently followed by adversary attempts to orient themselves in the environment, this may include running administrative reconnaissance commands to find out what device they are on and what access and privileges they have.
It could also include use of existing tools on the system, known as living-off-the-land, to change settings or access additional credentials. Often these post-exploitation activities in isolation are not enough to identify an intrusion, but threat hunters look at this data in aggregate to identify the patterns and bursts of activity that may indicate the presence of an attacker.
By looking for these early patterns of potentially malicious behaviours, threat hunters can identify potential intrusions earlier in the attack chain, allowing for disruption of the adversary before they can achieve their objectives. Further, because threat hunters are analysing rich data from across the environment, they can accurately reconstruct where an adversary has been and what actions they have taken. This ensures that victim organisations have full visibility and awareness of where remediation is required.
Protecting organisations against attacks
Although each new generation of security technology becomes better able to detect advanced threats, there is no replacement for human ingenuity. Behind every interactive intrusion there is a human adversary acutely aware of the automated defences standing between them and their target. These adversaries are agile and increasingly adept at employing new techniques or quickly operationsing new vulnerabilities.
While comprehensive automated security solutions play a crucial role in preventing known threats, they do not provide the proactive cover required to stay ahead of the continually evolving threat landscape. Having round-the-clock human threat hunting shifts the defensive mindset from reactively responding to known bad’s once they have already occurred, to proactively seeking out known ‘modus operandi’ when it comes to common adversary behaviour.
This provides security teams with the upper hand through the ability to identify and disrupt stealthy hands-on adversary activity that may be blending in with the benign.
Having the controls and capabilities in place to identify potential threats before they happen is better than facing the fallout of a cyber incident that could have been prevented. It simply isn’t worth the devastating impacts of reputational damage, customer attrition, regulatory fines, legal fees, and the productivity losses that follow.
On top of this, ransom demands are skyrocketing, with the average ransom payment now upward of USD$1.79 million, according to CrowdStrike’s most recent Global Security Attitude Survey.
There is a fundamental gap in the way many Australian businesses are approaching cybersecurity, and adversaries are ready to exploit it. Those who can deploy both technology and human threat hunting as part of a holistic cybersecurity strategy will emerge as exemplars for the rest of their respective industries.
A mature threat hunting capability requires a significant investment of time, resources and dedication and most organisations aren’t adequately staffed or equipped to house a 24/7/365 and scalable operation. Fortunately, there are managed security solutions that offer the tools, people and intelligence required to proactively hunt for the threats of tomorrow.