Sometimes cybersecurity can feel a lot like a game of chess. Both center around your most valuable asset—in chess it’s the king, in cybersecurity it’s the data. And just when you think you’ve mastered an offensive tactic and built strong enough defenses, your opponent finds new ways to attack. In both cybersecurity and chess, it’s all about protecting, detecting, and responding in order to lessen or, ideally, stop the attack.
We’re used to hearing about a number of information security strategies to protect our data “king” such as firewalls, encryption, antivirus, and anti-malware. Let’s think beyond these and explore a more stealthy tactic that may give you a significant advantage on your cybersecurity chessboard: threat hunting.
For that, we sat down with Cody Hewell, quality manager, for a quick Q&A on this covert data security tool.
First, what is threat hunting?
It’s just like it sounds—a tactic used to comb through environments to proactively “hunt” for data security threats within your organization’s network. It’s different from typical preventive measures, such as intrusion detection systems (IDS), which alert users of issues. Threat hunters lean on automated alerting tools based on endpoint detection, security information and event management (SIEM), and traditional network detection tools to do their hunting, then begin investigating any potential compromises. In short, it’s all about jumping in head first off the diving board to find deep, hard-to-see, sophisticated issues that may have slipped past your initial endpoint security defenses. Here is a great article from CrowdStrike that gets into the process and methodology of threat hunting.
Why is threat hunting an important tool?
Threat hunting helps reduce the time it takes for an intrusion to be discovered, thus minimizing the amount of damage done. In fact, according to the SANS 2022 Threat Hunting Survey report, organizations see a 10-25% improvement in their overall security posture from threat hunting.
What types of companies should build in threat hunting as part of their cybersecurity toolbox?
Threat hunting is beneficial for any company that stores or has access to data someone may want to steal—in other words, pretty much any company in business today. Traditional methods such as firewalls and IDS are always a must, but threat hunting is a great way to add an extra layer of protection to ensure your sensitive data is safe.
How does threat hunting work within a company’s larger data security strategy?
Threat hunting is another tool to add to your toolbox. It is highly complementary to the standard process of incident detection, response, and remediation, working in parallel to track down any potential cyber threats that could be lurking undetected in your network through queries and automation.
Is threat hunting something you do annually or on a consistent basis?
It is an ongoing, active strategy to detect any evidence of a compromise. This is because if a cyber criminal is able to sneak into your network, they can hide in there and quietly collect confidential data, login credentials, and more for months at a time. The more consistently you are threat hunting, the more swiftly you’ll catch on.
Who actually does the threat hunting? Is it typically an internal role or completed by a third party?
This depends on the maturity of your organization. More established companies with larger staff numbers may have a person or information security team who takes this on. However, many of our clients don’t have the capacity to handle this internally. If that’s the case for you, you’re not alone. According to the same SANS report, 51% of organizations surveyed identify a lack of skilled staff and training as the primary barrier to success as a threat hunting team. The good news is, BARR can connect you with the right partners regardless of your organization’s size and structure.
Another option to explore is a bug bounty program. This is when a company offers compensation, often called a bounty award, to ethical hackers who find security vulnerabilities and weaknesses, or “bugs,” within their code, software, etc. Learn more here.
What else do you want us to know about threat hunting?
Before beginning any sort of threat hunting, make sure you understand what is considered normal in your environment. Having an established baseline will help you notice unusual activity when hunting.
After all, data is the king of your company’s chessboard—protect it by adding threat hunting to your security framework. What’s the best way to get started? Contact us and we’ll help you navigate it and, if needed, connect you with one of our trusted partners.
As quality manager, Cody has successfully worked within attestation doing audit engagements at BARR Advisory and other firms. Previously, he worked in GRC and risk teams at Fortune 500 companies. In addition, he has past U.S. Military experience, including active and reserve roles in the U.S. Army, working in technical operations.
Cody earned a Master of Science in information systems from Georgia State University, a Master of Science in instructional systems and learning technologies from Florida State University, and a Bachelor of Arts in political science from the University of Georgia.