Threat hunting and why combating cyber attacks needs a human element [Q&A]
The threat landscape facing businesses is more complex than ever and it's rapidly changing. No surprise then that traditional approaches to security are struggling to cope.
This has led some security companies to turn to a more dynamic approach of seeking out threats rather than simply responding to attacks.
We spoke to Adam Bateman Managing Director of Countercept at specialist information security company MWR Info Security to find out more about threat hunting, what it does and how it can be implemented, plus why we can't afford to ignore the human angle.
BN: Why are traditional security techniques no longer up to the job?
AB: In general traditional security falls into a couple of categories. The first is that signature-based technology which focuses on known knowns, so you have a big database of attacker tools and viruses and if the technology sees one of those things it will fire off an alert to begin the response. It's rather like having a police force that only ever looks for known criminals.
Traditionally security is also reactive, it's very tool centered, so even the analyst who is looking at alerts is dealing more with the output from the technology than with how the attacker actually operates. This is a problem as attackers are constantly trying to bypass security technology.
BN: What's the alternative, do we need to rely more on behavioral approaches?
AB: In terms of the signature approach it can still be used, it's not a bad thing to detect something that's known. But we see it as much more of a backup than as a means of primary detection. Going back to the police force analogy, you might have special teams going out looking for unknown threats, but they can still match known bad guys to their records.
You need to focus on the unknown attacks and there are a couple techniques for this. There's security analytics which is focused on rarity, for example comparing all of the endpoint devices in an organization and recognizing which one is behaving differently. The other way is machine learning, which will profile what normal looks like -- how a user behaves for example -- so it can spot when a device or ID logs in from a new location which might mean it's been stolen.
This also allows you to spot when an endpoint has been compromised and is reporting back to a command and control server. A signature approach would simply block known bad IP addresses but a machine learning approach can identify the pattern of traffic on a C&C channel.
While machine learning is incredibly powerful it's not something that solves the attack detection problem. It's something which narrows your focus and attracts the attention of a human analyst to take a look. If and when machine learning does become good enough to work on its own it's likely the attackers will be using similar techniques and you'll get into an AI versus AI battle. It's therefore a mistake to rely on machine learning completely.
BN: How much part does education of users play in identifying threats?
AB: Stopping attacks from occurring in the first place is very important, one of our managed service divisions focuses on security behavior so you drive good user habits such as not clicking on links or launching attachments. Although this is a strong first layer of defense you have to assume that in a large enterprise it only takes one error -- perhaps by a new staff member -- to facilitate an attack, so although training can reduce the risk it doesn't remove it.
BN: What makes a good threat hunter?
AB: Threat hunting is people rather than technology centric. The technology is just an enabler which allows the hunter to navigate the threat quickly, but what's absolutely key is that they know what they’re looking for. That means looking for attacker activity rather than just attacks. In our experience the best people to do this are security professionals that take an 'offensive' approach. But responders are important too, they're likely to know what to look for based on previous attacks. We're talking about having high-calibre security experts that can understand the attacker mindset and not focus just on the technology.
BN: Are more companies adopting this threat hunting model?
AB: People have been doing attack detection for a long time, managed security service providers (MSSPs) have been doing something similar for around 20 years. However, they tend to use a more traditional model.
The market is set to be around $30 billion by 2020 and Gartner reckon that by 2020 around 60 percent of enterprise security budgets will be allocated to rapid detection and response.
BN: Will we see this approach start to trickle down into smaller organizations?
AB: We monitor both large and small organizations. Smaller companies can present particularly interesting targets for attackers depending on the industry they're operating in, or they may be a big player in a sector even though they have relatively few employees.
BN: How will the market develop in the next few years?
AB: MSSPs in the past have tended to be focused on a very traditional approach. Threat hunting is much more proactive and it’s starting to catch on, MSSPs are starting to adopt at least the terminology. In some cases though this could be just renaming monitoring to 'threat hunting' and buying a different tool. But it's still tool rather than people centric.
If you look at the market as a whole, there's the traditional MSSPs, there's newer EDR (endpoint detection and response) providers who are doing threat hunting but still heavily reliant on tools, albeit more modern ones, and centered on an endpoint solution. Finally there's the security companies which have both a defensive and an offensive approach and focus less on tools but more on people, using skilled threat hunters with excellent ability backed by knowledge. Ultimately it's a strategic battle between human beings on the security and threat actor sides rather than a reliance on technology.