By Shomiron Dasgupta, Founder & CEO, DNIF
June23 2019:Threat hunting isn’t new, but, the concept of its practical use in countering cyberspace threats is recent.
Companies’ awareness of threat hunting is increasing with time, however, not paying heed to cyberspace threats because of constraints like budget, expertise and personnel for threat hunting have led to the aggravation of the number of malware attacks as well as their potency. Hence, countering them has become more and more challenging.
What is Threat Hunting?|
Cyber Threat Hunting is a systematic process that involves detection of advanced threats in an organisation's network. In simple words, it is the detection of intruders skulking in the network. On an average, intruders access the network for more than two hundred and twenty days before being detected, and usually, the ones notifying about them are credit card companies or law enforcing corporations. Threat Hunting is proactively looking for these lurkers instead of staying on the low and letting technology inform an organisation about them.
What makes it different from Threat Detection?
Threat Hunting and Threat Detection have a major differentiating factor, that is, threat hunting is an extremely zealous process which takes place on initial stages of intrusion rather than after the threat has been identified as it’s done in threat detection.
Why it is important and why it should be used?
An attacker’s initial goal usually would be stealing valid login credentials. Such attackers are virtually insiders that seek out discreet and confidential activities of an organisation’s networks, systems, and applications. Attackers use the stolen credentials of organisations to carry out search-and-steal or search-and-destroy missions using tools and techniques that end-users don’t use. This causes them to go undetected and cause tremendous damage to intelligent property. Threat hunting, however, entails a better insight into the security team about an incident, from understanding its scope to identifying the causes and forecasting the impact. This also helps reduce investigation time.
Threat hunting is necessary because of the clandestine techniques used by cybercriminals and the malware they produce. Today’s malware is able to easily evade antivirus software. Attackers are ameliorating at an alarming rate, and this results in the creation of new forms of attack which are being taken into record regularly. Hence, it is not affordable for an organisation to wait for weeks or months to learn about incidents. From the moment of intrusion, the cost, damage, and impact due to a breach grow by the hour and by the day.
Threat Hunting ultimately reduces damage and overall risk to the organisation as it offers a quick response and a proactive approach. This generally means lesser chances of malicious intrusions and threats to cause damage to an organisation, its systems and data. This is vital in cases of confidential data to ensure it isn’t misused.
Another competency of Threat Hunting is that it is human-driven, iterative and systematic. The combination of tools, perpetual monitoring, together with the finesse ability of the analyst to test and evaluate data, means a reduction in false positives and time wastage in the whole security process.
Threat hunting has demonstrated itself to be very coherent and is gaining momentum as companies look for better ways to increase their security systems and eliminate malware and repetitive threats. As emerging and advanced persistent threats (APT) continue to challenge security staff, analysts are incessantly utilising threat-hunting platforms to uncover attacks. As 100% detection is impossible to achieve, and since existing security measures and solutions like IDS and SIEM are simply incompetent now, there is a dire need to establish security teams who will actively “hunt” for threats that may target their organisation.Hence, it’s a strategy which is transitioning from reactive to proactive, with companies looking for ways to tackle problems in a timely, more efficient way.
- DNIF is an open Analytics Platform that uses Deep Tech to Automagically identify Outliers in users application and systems in general.
- Shomiron founded NETMONASTERY in the year 2002, a company that delivers quality attack detection products and services to its customers. He has been building threat detection systems for close to two decades and has established partners in 14 countries across several industries like healthcare, insurance, transport, banking, and media.