Threat Hunting – Changing Strategies for Enterprise Protection

The digital security industry has been going strong ever since its inception in 1991, with an emphasis on heightened protection that will help efficiently detect threats and prevent them from spreading or harming the systems, data and network. This strategy stood the test of time in the industry for a good twenty years since the number of threats was finite and the rate of appearance of new malware was manageable. For example, it was still possible to isolate a new virus sample and send it to the research lab for analysis, who would then develop a detection/prevention signature for worldwide distribution in just a day or so.

However, the appearance of Advanced Persistent Threats (APT) in the past few years has completely changed the rules of engagement. The sheer number of new malware and their variants has risen exponentially, to the point where hundreds of threats appear on an hourly basis. Many of these do not even activate immediately and prefer to wait for a date, time or event of their choosing before starting off with their malicious activity. This begets the question: how do you detect something that does not have an associated signature, and prevent something that is – at least at the moment – not trying to do anything harmful?

The answer to this question can be found by adopting an offensive approach, instead of a defensive one. Instead of just waiting for a signature to be uploaded or waiting for a virus to attack the system, one can adopt a whole new genre of solutions, known as Threat Hunting Solutions. These solutions actively go out and seek malicious code in the network, so that they can be easily isolated and neutralised.

Instead of thinking that every system is clean until proven otherwise, these solutions assume the complete opposite – that the system is compromised unless it has been proven without a doubt to be clean.

The now-prevalent belief is that it’s only a matter of time before the systems are breached. If the breach has already occurred, then one just cannot depend on the same technologies that allowed the breach to pass through, to be able to detect it now. There needs to be an independent and direct check of the system, which includes an active scan of the processes that are either running in the memory or scheduled to run via the registry. This will help you get a clear idea of what is active on the system. A Forensic State Analysis (FSA) tool – often cloud-based – is run to analyse this data, to identify if something malicious is running on the system. If nothing is found, then the system is declared to be clean. However, this is not a permanent verdict and is only valid until the next scan is scheduled to be run. This check is repeated at the desired frequency, to ensure that system sanctity is maintained at all times.

The primary objective of Threat Hunting is to control the ‘Dwell Time’, also known as the breach detection gap. This refers to the time difference between the successful breach of defences and the subsequent detection of malicious activity and poses one of the most significant threats to an organisation’s data and systems. In APAC, the average Dwell Time is as much as 172 days – that’s a lot of time for any form of malware to do permanent damage while remaining virtually undetected.

Therefore, reducing Dwell Time is one of the major priorities of any business. The following diagram shows how the impact on business processes can be mitigated through the reduction of Dwell Time.

As can be seen, even limiting Dwell Time to 28 days resulted in a 22% reduction of the negative impact on the business. Further reduction, of course, is even more beneficial.

Threat Hunting, therefore, offers several significant benefits to the organisation:

  • Provides an additional level of assurance that the systems are ‘clean’, in addition to the assurances of the existing defensive technologies.
  • In case of a breach, it quickly identifies the affected systems for remediation, thus bringing down the cost of incident response.
  • After the successful clean-up of an incident, running the Threat Hunting solution further validates that the systems have been truly cleaned up and there is no ‘remnant’ or ‘backdoor’ that can lead to a recurring problem.

Hitachi Systems Micro Clinic has tied up with Infocyte, one of the pioneers in the field of Threat Hunting. The founders of Infocyte were part of the Threat Hunting team of the US Air Force, and their years of expertise has been distilled into an offering that can be used by organisations, without the need of forensic investigators to identify breaches in their network. Hitachi Systems Micro Clinic is offering Threat Hunting Solutions to its customers, both as a product they can purchase for regular use or as a service which can be used for a one-time, monthly or quarterly basis to identify if there has been any penetration in the network.  If you would like to check the health of your network and detect any potential breaches, call us for a free Compromise Assessment today!

Add A Comment

Your email address will not be published. Required fields are marked *