Threat Hunting has become enormously popular in today’s day of Cyber. If you aren’t doing it, you strive to do it. And if you are doing it, you strive to be successful. But why even hunt? Is it a necessity in the Cyber world or is it one of those “nice to have,” capabilities? If you look at the primal nature of animals and why they hunt, they have a NEED. If they don’t, they die of starvation. In the majestic animal kingdom, it is a “NEED to have” capability.
Can we say the same thing about Cyber threat hunting? If an organization can not hunt, they may not die, but will suffer from an unknown incident resulting in a breach. When attacker dwell times go from days to months, the “nice to have” suddenly becomes a “need to have.” The problem gets further exacerbated, since in the world of cyber….YOU are also being hunted. For what? This depends and can range from financial gain, intellectual property, or even imposing political views. The consequences can be bad for business. Poor customer retention, acquisition loss, financial loss, and a big blow to the brand can mean death.
However, the problem with most organizations is that they are immature and inexperienced to hunt. They they may want to, they may even try, but they simply can not. The same thing can be said about a lion cub. A cub hopes to get scraps left over by the larger adults lions so that they survive until they learn to hunt from the experienced. They follow their parents to gain tactics and techniques. As they grow older, they get the size, strength, and speed that enables them to hunt. Even when they get older, their success rate is only 15%. Maturity level is an important aspect of Cyber Threat hunting, but that is not all. Lets compare back to the wild. Hunting skills will differ from habitat to habitat and animals to animals similar to the environment we are in from large or small organizations and also the industry we are hunting in. Tactics will also change. Timing will also be critical on when the adversaries are best hunted. Look at the facts and numbers. The African wild dog has a hunting success rate of 85% vs the lion at only 15%. Similar to any organization, you need the same things but in different ways. You get experienced security professionals that understand attacker motives. You get seasoned intelligence analysts that understand attacker tools, techniques, and procedures. You get security responders that have lived the days of no sleep while responding to incidents and honing their own craft of how to properly respond, moving from containment to remediation.
For animals it comes down to listening capabilities, strength, speed, covertness, and pack size. For cyber threat hunters this comes down to having skill sets across the various pillars of security. A pen tester may only know how to attack, but will not understand what forensic data is left behind. They may be vicious like the lion, but can they hunt with success? What I’m talking about is about bringing together capabilities gained from all individuals in a security team. It says a lot when an organization can bring together a security ecosystem by socializing, a true meeting of the minds and a cohesive “fusion” approach. This is when cyber threat hunting becomes effective and survival becomes easier. I’ll end with the African wild dog’s highly social nature and being. They live in packs, they look out for the young and the sick, and lastly they are vocal. In the world of Cyber, hunting is essential but not only the strong will survive. If you really what to hunt…well, I hope you are not the lion.
The original article can be found here.
Comments