The SolarWinds hack of the software supply chain, which is considered the most significant and far-reaching cyber espionage operation targeting the U.S. government to date, has elevated the government’s interest in risk-based threat hunting.
The Cybersecurity and Infrastructure Security Agency (CISA) last month issued a request for information on industry’s ability to support a Threat Hunting Task Management Tracking System. CISA, which is the lead federal agency for managing national cybersecurity efforts, issued the RFI after a bi-partisan congressional commission succeeded in recommending a threat hunting requirement be placed in the 2021 National Defense Authorization Act (NDAA).
The NDAA gives the Defense Department until September to determine the “feasibility, suitability, definition of, and resourcing required to establish a defense industrial base cybersecurity threat hunting program to actively identify cybersecurity threats and vulnerabilities within the defense industrial base,” according to the language in the law.
From Reactive to Proactive Threat Hunting
Security teams are inundated with alerts and response efforts, oftentimes making proactive security exercises like threat hunting a pipe dream. That’s why reactive threat hunting — searching for a threat based on an alert from a detection device without knowing for sure if it is an actual threat or a false positive — has been the way most organizations have approached threat hunting for the last 20 years.
“This is one of the big problems a lot of organizations are faced with,” said Chris Ralph, a security architect at ThreatConnect during a recent episode of the ThreatConnect Podcast. “As we gather more information, we generate more alerts, and we get overwhelmed or alert fatigue sets in.”
To the contrary, proactive threat hunting takes a strategic, risk-based approach to more precisely define the threat landscape. A risk-based approach looks at threats that are most relevant to a particular organization based on specifically identified, critical risk scenarios. For example, that could be a domain that is relevant to industrial control systems, to finance, to insurance, or just generally a threat to organizations based on their supply chain model.
“Now we want to understand the type of activities that are relevant to a particular adversary, campaign or activity that we can now isolate and begin to look for inside our organization to see whether or not it already exists, whether it’s been picked up with our existing controls, and if not, what we can do about it,” Ralph said. “How can we enhance the existing systems? Does that mean new technologies? Does it mean new rules inside existing technologies? And more importantly is how do we control the proliferation of that particular activity, if we do find it, as part of that proactive threat hunting?”
The Business Benefits
When it comes to threat hunting, there are significant business benefits for those organizations that have a tightly integrated Threat Intelligence Platform (TIP) and Security Orchestration, Automation and Response (SOAR) platform, according to Ralph.
“When we think about the problems that are being faced by our Security Operations Centers (SOCs) and incident responders today, it is the sheer volume of information, alerts and activities that are ongoing on a daily basis,” Ralph said. “But bringing in a security orchestration automation and response system enables us to carry out a large amount of the activities that would normally have been done manually by the analyst, by the SOC, or the incident response teams, and to be able to fully automate those.
So now, instead of receiving an alert about a suspected phishing email and having an analyst take time to analyze it, a SOAR platform can ensure your analysts are only focusing on the real, most important threats to your organization.
“A SOAR platform can actually ingest that phishing email and it can analyze all of the data that’s relevant to it,” Ralph said. “We can integrate them with third-party systems, carry out full malware analysis, enrichment of the data with open-source and premium services. But most importantly, being able to automatically take the results of those activities and carry out a threat hunting exercise internally so that we can not only determine what the risk is relative to this particular investigation, but we can also understand the scope of exposure within our organization,” he said.
“So we can analyze, we can identify, we can carry out the threat hunt, and more importantly, we can also carry out a response, and then generate that all important report that then tells people what just happened and what the risk was to the organization,” said Ralph.
Some organizations are able to employ dedicated threat hunting teams. And while this may appear to be a strategic approach, the reality is they often do not have buy-in from the business leadership. And as a result, they tend to flounder. “They tend to look for threats and risks to an organization that are based on a personal viewpoint. And so there is a bias that then feeds into their activities,” Ralph said.
“When we start to provide a mechanism through the SOAR platform to provide rigor to the process of threat hunting that becomes auditable with a defined outcome,” said Ralph. “We can now start to tie together all of the teams — the SOC, incident response, the threat intel teams, and the risk teams — so that we have the ability to provide a strategic response. And so that, over time, actually benefits the staff because they can now focus on the important activities instead of the false positives.”
Benefits: Threat Hunting With TIP & SOAR
- Reduce the volume of false-positive alerts
- Focus activity on actual, important threats
- Develop an understanding of an adversary’s tactics, techniques, tools and procedures
- Identify new, relevant threat activity and automatically inform our controls