Why cloud security must move from threat detection to threat hunting?

23 November 2020

Harjott Atrii

Harjott Atrii

Cyber-attacks are on the rise, impacting organisations more than ever. As per a recent survey by Barracuda, researchers have observed a 667% increase in spear-phishing attacks since the end of February, 2020 with the damage related to cybercrime projected to hit US$6tn annually by 2021.

Threat actors are actively using Covid-19 social engineering themes to try to take advantage of remote workers, health concerns, stimulus payments, trusted brands, and more. With the explosion in remote working and cloud adoption, we believe cybersecurity is an essential foundation for enterprises to thrive in a digital-first post pandemic era.

Typically, a large organisation on an average takes 207 days to detect a security threat while 73 days to remediate the incident. Threats can spread laterally within networks in matter of seconds, exfiltrate a large amount of confidential information which may result in irreparable damage to reputation and significant loss of revenue.

With threat vectors evolving daily, threat landscapes cannot be viewed in silos. Organisations should consider a ubiquitous security approach which is proactive yet adaptive by adding an early stage component of threat hunting to the traditional threat detection approach.

Today, majority of our customers focus on establishing new-age Threat Hunting approaches that help organisations to be proactive. They investigate and seek out known and unknown threats at the earliest stages of attack, instead of relying upon a threat detection system and alerts, which can be delayed. This is made possible through analysis of historic data combined with the hypothesis for previously undetected threats based on unique signatures of a newly identified malware strain or the TTP (Threat, Technique and Procedures) associated with a specific actor.

Below is a six-step approach that we prescribe to organisations, looking to establish a robust Threat Hunting process:

Requirement gathering is the first step. This where the objective is to gather the details about the existing security controls and compliance needs of the organisation.

Data collection is the next step where aggregation, processing and managing of enterprise data, is the focus. Security Information and Event Management (SIEM) tools often help in data collection as well as provide deep insights for further analysis.

The third step is to build a hypothesis. Customers typically set up an internal hunting team that leverages the collected data to investigate and build a hypothesis. The resultant hypothesis would typically substantiate on how attacks work, what artefacts are in the logs that need to be analysed and curate a threat modelling process based on the security objectives.

The next step in the process is hunting. Based on the hypothesis, the team of threat hunters would search for a unique hunting string for the malicious activity, intrusions, anomalous behaviour, unusual port activity or any other Indicator of compromise (IOC). Threat hunters may also search metadata and enriched flow records, using threat intelligence and packet-level data to reach a definitive conclusion.

Once the hypothesis has been validated, the next step is to investigate and identify threats through Extended Detection and response (XDR) service. This step typically uses solutions such as Security Information and Event Management (SIEM), End point Detection response systems, User behaviour & Network analytic tools combined with predictive intelligence software’s. These solutions can assist in identifying threats without needing to know the attack’s exact signature and detects irregularities in traffic flow and data, resulting in raising an alarm for a security threat before the attack occurs.

The last step in the process is Incident response. Cybersecurity experts will design an effective response mechanism, often using automated security tools, to resolve and mitigate the threat. Additional pre-emptive actions may be taken to avoid further disruption of service which may emerge as result of addressing the threat.

Cyber-security breaches are one of the most likely and most expensive threats to enterprises. With technology evolving at a supersonic rate, there is a growing need for enterprises to re-imagine security posture by focussing on threat hunting measures. After all, organisations that succeed today are the ones that constantly refine their knowledge of the adversities they face.

By Harjott Atrii, executive vice president and global head of the digital foundation services at Zensar Technologies