Roles in cybersecurity have evolved to now include the title of “Threat Hunter”. It sounds cool, but I’m sure many of you are wondering what it really means and how it is different from the job you’ve been doing. Up until now, most of us have performed a job more akin to “Threat Wrangler”. Once you’re aware of a breach, you attempt to find it, lasso it and drive it out of your system.
Threat hunting is different. Threat Hunters aren’t waiting for a problem to arise, they’re proactively looking for it. I define threat hunting as the ability to look into your environment and find nuggets of information that indicate a risk of attack or that an attack is occurring. The key here is having the tools, process and knowledge to be proactive.
The sooner your cybersecurity team can transition to a threat hunting mentality, the more protected your environment will be. Here are my 4 basic steps to make the change:
There is a wide range of attacks from APTs down to ScriptKiddies still out there potentially attacking your system. I’m a big believer in layered security since no one product or solution is going to find everything. Where it makes sense, keep your AV, your IPS/IDS and your firewalls. These are all great and an important foundation to stop known threats. So don’t eliminate your security stack, consolidate and build on it.
Proactive threat hunting isn’t possible with traditional tools. You need a solution that can provide you unfiltered visibility into your endpoint data so that you can find those important nuggets. That’s why we developed CB ThreatHunter—to enable SecOps and IR teams to have a powerful way to make sense of the insane amount of security data you have to find the behaviors attackers are trying to hide.
You can’t stop at getting the right tools. Your team needs training on how to use those tools and how to execute a threat hunt successfully. This means subscribing to policies and processes that can help your team make sense of your own environment so you can better protect it. Put the same amount of time and consideration you do in selecting and purchasing threat hunting software into processes and training. You won’t regret it!
The final step is testing. Proactive hunts are great, but testing is even more critical. Testing helps you find and fix vulnerabilities before they can be exploited. Testing can also help your team prepare for attacks. Consider establishing a Blue Team and a Red Team to keep defenses sharp and your team ready.
For more help on becoming a threat hunter, be sure to check out the 4-part webinar series, Become a Threat Hunter. You’ll develop critical introductory skills, learn to identify four common threats, and how to hunt them using the latest in cybersecurity software.