Why cyber threat hunting is the new frontier in cyber security
Updated 22nd June 2018
The fact that hackers can break through your cyber defences is no longer surprising. One glance at Hacker News reveals how many cyber risks there are out there, from software flaws and vulnerabilities, to surprisingly convincing ransomware attacks and social engineering that can catch you unawares at any moment. Unfortunately, all the security in the world won’t stop the cyber nasties getting in - if they really want to.
But what is surprising is how long it takes firms to detect cyber-attacks after they’ve occurred - by which point it’s invariably too late. The Dixons Carphone breach that hit the headlines recently actually happened way back in July 2017, meaning it wasn’t discovered until almost a year later. And remember the massive Yahoo! breach reported in 2016? It took the best part of two years for the company to realise the true extent of it, by which time user details were up for sale to any unsavoury character perusing the darknet.
Cyber security experts talk about an 80/20 rule when it comes to cyber-attacks, with 80% of breaches classed as relatively unsophisticated, 20% as more advanced and around half those as extremely advanced, meaning they’re very difficult to stop through typical cyber hygiene and blocking techniques. The difficulty of keeping this 10% out is why cyber security can no longer be limited to prevention but must also focus on detection and containment post-infection. And that is exactly where cyber threat hunting comes in.
What is threat hunting?
Threat hunting is the practice of proactively searching out cyber-attacks and data breaches once they’ve broken through your defences, in order to isolate and contain the issue before it can do any serious damage. As well as stopping hackers in their tracks, it also enables companies to identify the kinds of attacks that are being developed and succeeding in real-time, with a view to improving defences and response plans going forward.
The practice typically involves analysing large volumes of data from across business systems, including firewall logs, email, web and network traffic, in search of suspicious activity. Common signs that your defences have been breached include behavioural anomalies, such as unauthorised access attempts, suspicious IP addresses, domains or file names and denied or flagged connections.
Threat hunting can be extremely effective, with a recent study by IBM showing it improves the speed of threat detection and response by 2.5 times. As a result, it’s rapidly gaining a following, with 40% of security professionals now using threat hunting tools, an increase of 5% since last year. And of those who aren’t, 60% are planning to introduce these tools and techniques in the next three years.
What tools are out there?
Threat hunting is still an evolving area which means new technology and approaches are appearing all the time. Common tools are anti-phishing or other message monitoring software, which track firewall activity. Security Incident Event Management (SIEM) platforms have also been around for a while, designed to analyse alerts generated by applications and network hardware in real-time. However, these approaches have their limitations, as they often require cumbersome hardware to be installed plus they aren’t always joined up easily, which means analysing and comparing different outputs takes time and manpower, impacting costs as well as detection and response times.
A more effective approach is via threat intelligence platforms, which take a much more holistic view. By aggregating data from numerous endpoints, these tools can analyse the entire flow of information into and out of an organisation in order to more accurately and rapidly identify potential threats. Many of these systems also draw on external intelligence and attack histories, using machine learning to spot threats as they evolve in cyber space.
Why isn’t threat hunting used more widely?
Threat hunting requires specialist technology and skills, which is probably why a third (33%) of security professionals say their capabilities in this area are currently limited. In fact, almost half (45%) blame budgets for the gap, with the cost of investing in the tools and skills placed significantly higher than other factors. But as the technology and cyber security skills progress, threat hunting technology should become accessible to a wider market and broader range of businesses.
How can your business benefit now?
The technology and skills required for threat hunting might bust the budget of most start-ups and small businesses, but a good alternative is to find an outsourced security provider that offers threat hunting as part of its services. If you’re working with sensitive customer data, including payment and personal information, it could definitely be worth looking into, greatly reducing the risk of falling victim to an attack and minimising the often catastrophic fall-out that comes with it.
For more on cyber security for startups and small businesses, have a read of our Ultimate Guide to Cyber Security.
And remember, if you are hit by a cyber-attack, your last line of defence is a specialist cyber liability policy, which will cover you for breach of regulations, such as the GDPR (where insurable by law), your liability for handling data, as well as extortion and system rectification costs. Plus, with Digital Risks, you'll even be covered for PR expenses, business interruption, credit monitoring services and financial loss due to system downtime. Find out more here.
Why is cybersecurity important?
To prevent your business from being a victim of third-party cyber attacks, there is a number of things you can do. Don't follow the wrong example - get your business covered.
25 cybersecurity resources you need to see
Here are 25 of the best cybersecurity resources out there to stay up to date with the rapidly growing area.