Cyber Hunting: Proactive Detection of Cyber Threats

October 26, 2017 Travis Mercier

In the day and age of expanding technologies designed and developed to enable rapidly growing business, the security methods of the past are long behind us. The era of defending our perimeters and “setting and forgetting” tools to protect our environments is over.

As technology has grown to enable new businesses opportunities, we’ve increased our attack surface — the technology footprint exploitable by cyber attackers to gain access to our data and our businesses. While we’ve found new ways of executing our business, we’ve also created new business opportunity for cyber threats.

The threats we face today are organized, motivated, well trained, well equipped and are often backed by nation states or organized crime syndicates. Threats of this sophistication require a new approach to security, with the assumption that it’s not if you will be compromised, but when.

The methods often used by advanced adversaries are undetectable by tools and require expertise and human intelligence to detect. These concepts have led to the birth of cyber hunting.

What is cyber hunting?

Cyber hunting is the proactive, human analysis of all activity occurring within your tech footprint and contextualizing that activity to your business to best identify anomalies that could be indicative of a malicious action.

This is achieved by gathering detailed sets of data from throughout your environment such as system, network infrastructure and application logs, as well as raw event data from security tooling. That data is then aggregated into single location to be reviewed and hunted by skilled security analysts.

There are two main types of cyber hunt missions Rackspace cyber analysts typically execute: generic and targeted hunts.

Generic hunts are generalized towards identifying known malicious activities and tactics, techniques, and procedures which cross all adversarial groups and industries. Essentially, the activities sought in generic hunt missions are those that are negative no matter who the attacker is or what their motivations may be.

Targeted hunts, however, are more focused and detail-oriented, and include a significant amount of prep work before the missions are executed. The process of a targeted hunt starts with understanding the business that the mission is focusing on:

  • What industry is this business in?
  • What are potential adversarial motivations?
  • What data is critical to their business?
  • What technologies are in their attack surface?
  • Are any of your organization’s existing technologies targeted by an adversary?

Once these questions have been answered, research is done to specifically identify which adversaries would be interested in targeting this business, what the tactics, techniques and procedures of that specific adversary are, how to formulate a hunt mission plan based on them,  behavioral indicators that have been identified through research, and then how to execute the mission itself specifically looking for known activities used by the adversary throughout their attack lifecycle.

Why is this important?

Cyber hunting is, in a sense, an investigative and forensic approach to cyber threat identification. Cyber hunting capabilities focus on adversary tactics, techniques and procedures early in the attacker lifecycle, thereby speeding detection in the attack and allowing for earlier response.

This reduces the risk of the attacker achieving their objectives and causing harm to your business. Most importantly, cyber hunting enables the identification of activities that often go undetected and are missed by tools. In this way, it fills a capability gap from detecting commodity threats to more sophisticated and advanced adversaries.

Expertise for a new normal

The visibility and detection capability enabled by cyber hunting, through cyber security analyst expertise, is something that cannot be replicated by a tool or machine. Security analysts’ experience and expertise allow them to use their own intellect and method of executing a cyber hunt, pivot through data and pick out anomalies, which in most cases would be passed off as legitimate administrative activity.

As we continue to develop new technologies to support and enable our businesses, we will continue to grow opportunities for adversaries to exploit and gain access to data that is critical to us. A new strategy is necessary to combat our cyber threats, and it starts with investing in security professionals and reducing reliance on tools and machines to protect what is most important to our businesses.

Visit Rackspace to find out more about how our cyber hunters can help keep your business safe, inside and out. And check out the Deep Dive interview I did on “Cyber Hunting: The Anatomy of an Attack”. You’ll hear first-hand why many traditional perimeter security approaches are no longer effective against evolved cyber-attacks.

Previous Article
GDPR and Addressing Data Security Gaps with VMware
GDPR and Addressing Data Security Gaps with VMware

The VMware portfolio provides a solid foundation for securing personal data and other sensitive information...

Next Article
Many Paths to Cybersecurity for Women
Many Paths to Cybersecurity for Women

Rackspace security leader Christy Schumann discusses how she became involved in cybersecurity and her subse...