The cybersecurity landscape is in a constant state of change and, as many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when. In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and non-malware attacks, it’s harder than ever to protect your endpoints with confidence.
To prevent this, threat hunting has emerged as an essential process for organizations to preempt destructive attacks. This process is a proactive approach to cybersecurity that identifies gaps in defenses and stops attacks before they go too deep.
While it may seem aggressive to work on the “assumption of breach” — that attackers are already inside an organization’s network and are covertly monitoring and moving throughout it — the reality is that attackers may be inside a network for days, weeks and even months on end, preparing and executing attacks, without any automated defense detecting their presence.
The bottom line is this: The adversary is hunting for your security gaps…why aren’t you?
Unfortunately, there is a lot of confusion around threat hunting that is preventing professionals from being proactive and getting the most out of their investments. For this reason, we want to help debunk some of the most common myths about threat hunting.
Last week we talked about the first myth—"EDR is Threat Hunting"—and this week we're going to tackle myth #2.
Not necessarily. The reality is, people have been hunting for malicious computer activity for as long as computers have existed. If you’re in IT, you troubleshoot all the time. You’re constantly detecting and looking into odd behavior. For example, if you saw CPU usage on an endpoint running at 100%, you’d probably want to investigate. When you threat hunt, you’re simply looking at this from a security perspective. And if you think you or your team lack the skills for this, think again. Believe it or not, the core skills needed to hunt effectively are baseline information security skills like operating systems and networking.1
Whether you know it or not, you’re probably already hunting, just without a formal process or technology to make it easier. The only difference between your current security and “threat hunting” is putting together a program with metrics for measurable success. If you use a security platform that’s built for threat hunting, you benefit from the reduced complexity attributable to automated data collection. This minimizes time-intensive incident response that forces most organizations to be reactive when an incident inevitably occurs.
It’s also important to understand that threat hunting is something that matures over time. You don’t have to start out as an expert. You don’t need to boil the ocean to threat hunt, you just need to measure success and continuously improve.
Remember, your team has the home-field advantage against the attacker. You and your team know your environment best, and you are well-positioned to find gaps. If you’re actively searching for these gaps, odds are you’ll find them long before an adversary does.
To learn more about the common misconceptions about threat hunting…
1 SANS 2018 Threat Hunting Survey
The post Top 5 Threat Hunting Myths: "Threat Hunting Is Too Complicated" appeared first on Carbon Black.