Today’s threat landscape is larger than ever before and the speed at which an adversary can exploit gaps in a security framework is only getting faster. Faced with this dangerous combination, organizations are increasingly recognizing the limitations of their more traditional reactive approaches to cybersecurity i.e. the tactic of threat hunting. Typically, threat hunters will look for an assumed breach or bad actors within their environment and try to mitigate the damage they can do.
However, the very definition of threat hunting suggests that the organization has already been breached before any action is taken. And that is no longer good enough. We need to shift the mindset of businesses from mitigating threats in progress to building a holistic overview of their environment that enables them to identify areas of risk ahead of time.
New regulations, such as NIS2 and DORA, are purposefully designed to make organizations more preventative and proactive in their cybersecurity approach, with the aim of flipping to this new form of risk hunting instead. Far more proactive in its methodology, risk hunting empowers organizations to identify, assess, and mitigate potential risks before they manifest into concrete threats. But how should companies best go about implementing a risk hunting framework?
In what business areas should you be looking for risks?
As an industry we currently lack a proper understanding of how threat actors think and therefore what constitutes risk within an organization. This is due to not anticipating the speed of which threats are evolving, which means that organizations are always defending against old attacks and not anticipating that evolution. NIS2 – while helping to raise the metaphorical bar for foundational security – is not detailed enough to help organizations close those risk gaps by itself. Companies need to build teams that are specifically designed to act as threat actors would and test the limits of the existing policies and frameworks.
In terms of its scope, risk hunting shouldn’t be focused solely on locating digital vulnerabilities that can be hacked by outside threats. It needs to be as all-encompassing as possible – identifying how resilient the business might be if there is a DDOS attack or the internet goes down, for example.
What is the best approach to risk hunting?
There are numerous risk hunting methodologies, including the use of advanced analytics, threat intelligence, and anomaly detection techniques. Intelligence-based risk hunting is the optimum form from my perspective. It is the process of leveraging threat intelligence to drive the hunt for risk. Unlike threat hunting, which uses Indicators Of Compromise (IOCs) and Tactic, Techniques and Procedures (TTPs) to determine where risk may lie, or where a certain attacker will leverage a potential risk, risk hunting needs to be using Indicators of Attack (IOA). These are patterns or behaviours that indicate an ongoing or imminent attack. These indicators help identify the TTPs used by threat actors during an attack.
There are lots of technologies available that help organizations map out their environment and layer on intelligence to identify weak spots. Many companies are testing digital simulations of potential attacks, for example, to understand how their security framework would stand up against attacks of different magnitudes. Security teams can then tweak their policies based on that intelligence to better prepare them for a real attack. So, there is certainly not a lack of tools and information available to support organizations in risk hunting. Where the gaps come in, is in some of the skills needed to use the tools effectively and then apply them to an environment that is already highly complex. There are very few people who have the inherent skill or knowledge to actually implement a risk hunting approach and then understand what needs to be done to mitigate the dangers that it identifies.
The best team to fit the risk hunting profile is what we consider a ‘purple team’. This would be made up of a combination of red and blue team members and their skillsets – red teams typically try to find the vulnerabilities in an organization’s framework, and blue teams help to close the gaps from within the organization. So, businesses don’t need to hire completely new teams to conduct an effective audit, but instead bring together disparate teams with a combined skillset to hunt the internal risks together, from both a defense and offense perspective. These purple teams, supported by AI technologies, can ingest the right data and find the correct meaning from it to make the necessary changes and evolutions.
Making risk hunting simple and actionable
Even with the right teams and tools in place, security teams still face an up-hill battle to understand the risk data they collect. The dark truth is that both CISOs and more general security practitioners are ill-equipped to risk hunt with disparate tools that produce overwhelming amounts of disaggregated data. This needs to then be cross-referenced and prioritized to identify any common trends. The current process makes it nearly impossible to digest and render actionable intelligence. Siloed security tools and manual processes paint an incomplete picture of cyber risks and give security teams no meaningful way to remediate them.
To be able to ascertain what data is relevant, CISOs need to connect their multiple tools into one solution framework that can connect the dots and quantify organization-wide risk in a visual format. Data for data’s sake isn’t helpful to a security team that has limited manpower and time – by using technologies such as AI, the teams can crunch the numbers and present a clear and actionable plan to present to the board.
For too long, businesses have been reactive to the cyber dangers that surround them. This may be due to a lack of investment in security teams or a lack of understanding of threat actors. With the advent of NIS2 and DORA, security is going to be forced onto the agenda, giving security practitioners the stage to up-level their security framework and push for greater investment. By risk hunting the gaps in the current framework and presenting it back in a simple and actionable way, security teams will be able to cut through the noise and impress upon the C-suite the steps that need to be taken to become compliant. But risk hunting shouldn’t stop with regulations. These types of audits should become part of an ongoing cycle for security teams to stay ahead of threat actors and ensuring that your security framework is fit-for-purpose at all times.
We list the best Zero Trust Network Access solutions.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro