Cyber attacks are becoming more advanced with each year, as indicated by the increase in data breaches. According to a Risk-Based Security report, 2019 might break a new record, with more than 3,800 breaches, and still counting.
Threat hunting aims to help reduce the number of breaches. Some security analysts even take threat hunting as far as infiltrating the dark web, all to ensure they are the first to discover a new attack type. Read on for an overview of the state of cybersecurity, and key threat hunting tips for 2020.
The State of Cyber Security in 2019
In its Security Index Report for 2019, IBM identifies the top security threats of the past years. The attack surface continues to grow from within, with more threats coming from insiders. Below you can find the top four security risks that continue to threat companies.
Phishing and business email scams
Phishing and business email scams comprise almost one-third of attacks. Examples of this include business email compromise (BEC) and social engineering. BEC scams aim to compromise the accounts of CEOs and high-ranking employees. The scammer tricks the employee into sending emails to the accounting department with instructions to send a wire transfer.
Human error is one of the main causes of breaches
One of the ways unintentional insiders compromise the environment is by making configuration mistakes. According to the 2018 Cloud Security report misconfiguration is the biggest risk to cloud security.
Misconfiguration errors include insecure cloud databases or poorly secured backups. These errors enable attackers to access sensitive data, such as usernames, passwords, and credit card data.
Malware and spam were used in several data breaches and attack campaigns, such as the German Amazon Phishing scam or the Chinese email harvesting. Attackers are also using malware to mine cryptocurrency. They install miner software on the victims’ systems. The mining software then generates coins for the attackers. A common infection vector is a code injection in poorly secured websites.
File system-resident malware
Attackers are increasingly using file system-resident malware. This type of software is used by legitimate users to collect and analyze data. However, more attackers are using it for malicious purposes. File system-resident software gives attackers direct access to a device’s core. Attackers use this to inject malicious code into memory because the software can also execute code from memory.
Frequently targeted industries
The most frequently targeted industry is the finance and insurance sector, closely followed by transportation and professional services. While the main motivation has been stealing data for economical gain, while, there have been threats for political reasons.
Threat Hunting Overview
Threat hunting is a proactive approach to cybersecurity that involves actively searching for undetected threats, in a system or network. Once inside a network, attackers can lurk for months, retrieving data or stealing credentials to move laterally across the network.
Traditional cybersecurity only reacts, responding to attacks once the malicious actor is inside the network. Threat hunters get ahead of attackers by proactively searching for suspicious activity.
What makes a successful threat hunter
Threat hunters use software tools to automate the process. The three most basic tools are logs, SIEM systems, and analytics:
- Logs—analysts need data logs to process and detect malicious activity. Common sources include endpoint logs and firewall logs.
- SIEM—A Security Information and Event Management (SIEM) is a software solution that collects and classifies data from multiple log sources. The software then analyzes the accumulated data. Once an anomaly is detected, the SIEM sends you alerts.
- Analytics—data analytics software, especially machine learning techniques, help automate threat hunting processes. This enables security analysts to process large amounts of data.
While the right tools are important, there are a number of skills a successful threat hunter should have:
- Environment knowledge—analysts should know the IT environment they are protecting. This includes network and contextual knowledge.
- Scientific methodology—analysts need to think ahead of possible threat attacks. They should be able to formulate a hypothesis and look for ways to prove them, being aware of potential threats.
- Statistics—a solid background in statistics and mathematics is necessary to interpret statistical data.
- Investigative mind—the capability to investigate after an attack, looking for the root cause.
Threat hunters detect threats through three main approaches:
- Hypothesis-based investigation—threat hunters analyze crowdsourced attack data, learning about the latest tactics, techniques and procedures (TTP) of attackers. Threat hunters sift through the data looking to discover if this specific TTP exists in their environments.
- Threat-based investigation—threat hunters use threat intelligence to identify Indicators of Compromise in their networks. Tactical threat intelligence consists of specific details about attackers’ techniques, and it is often automated by special software. Threat hunters use threat intelligence software to label known indicators of compromise and set alerts to discover hidden attacks.
- Machine learning investigation—this approach uses machine learning technology to detect anomalies in large datasets. Threat hunters then investigate these anomalies to identify security threats.
7 Effective Threat Hunting Strategies
Threat hunting is proactive by nature and threat hunters spend their days searching for signs of malicious activity. This often requires threat hunters to infiltrate dark web forums, where criminal activity takes place. Below, you’ll find an overview of effective threat hunting strategies.
- Know the environment you are protecting
Understanding what is normal for your organization can help you detect anomalous activity. Threat hunters should learn their environment’s routines and architecture. This can help them detect anomalies. Threat hunting teams should collaborate with key personnel in other departments, and get insights about what constitutes as a normal activity in the organization.
- Understand the threat
When searching for threats, you should start by knowing what you’re looking for. A good practice is to perform threat modeling. Threat modeling involves thinking like an attacker, simulating a security incident to understand their moves.
By putting yourself in the attackers’ shoes, you can identify potential risks, developing countermeasures to neutralize the threat. Threat hunters also should have information about the assets most likely to be attacked by threat actors, such as intellectual property or financial data.
- Analyze the dark web
Once you map the potential threat vectors, you can track signs of suspicious activity. Threat hunters scan hidden dark web forums—where criminals do business and plan attacks. There, threat hunters can then find, for example, where the criminals sell stolen data. Threat hunters can leverage this information, identifying attackers and methods, and devising appropriate protection and remediation plans.
Analyzing the dark web can also help you catch criminals red-handed, while they’re planning an attack or trying to sell access to another actor. Sometimes threat hunters can detect an imminent attack by intercepting conversations about a specific company.The dark web can be a good source to acquire threat intelligence. However, infiltrating dark web forums often requires threat hunters to impersonate criminals. This means building a reputation in the dark web, which will get you invited to the high-level forums by existing members.
- Protect all endpoints
Attackers usually gain access to your network through endpoints (network devices). Endpoint security is the monitoring of endpoints activities and access. This is one of the most basic methods to secure the network, and it’s crucial for threat hunting. Endpoint security enables threat hunters to detect an attacker attempting to enter the network. The software monitors the activity and sending alerts when there is unauthorized access.
- Ensure network visibility
You should understand the attack patterns in your network environment. Network visibility ensures no anomaly can get unnoticed. This can be achieved by installing network monitoring solutions such as Intrusion Detection Systems (IDS).
- Mind the insider
Most data breaches originate from malicious or unintentional insiders. Attackers usually need someone “on the inside” that will open the door for them. Therefore, performing internal reconnaissance is as important as searching the network for threats. Strengthening access permissions and using User and Entity Behavior Analytics software can help detect anomalous behavior and prevent insider attacks.
What’s Next? Security Predictions for 2020
The security forecast for 2020 focuses on data breaches as the main risk. Some of the predictions by Gartner for 2020 include:
- A third of data breaches will be caused by shadow IT resources—these are resources used without the approval of the IT department.
- Most vulnerabilities will be the ones known for the past years—that means companies can focus on existing vulnerabilities to prevent attacks.
- More than a quarter of identified attacks will involve the Internet of Things (IoT)—Gartner predicts that protecting IoT devices will become more important in 2020.
The threat landscape is changing. The last wave of data breaches prove the need for a proactive approach to security. Applying the right strategies can help threat hunters beat attackers in their own game.
Author Bio: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Gilad can be contacted via LinkedIn
Gilad David Maayan is a guest blogger. All opinions are his own.