With the holidays approaching, employees around the world are looking forward to taking time off to celebrate with their family and friends. For cybersecurity departments, that often means skeleton crews working shorter hours and responding to high-priority alerts. Threat actors know this, and often use these time periods to sneak malware into a system and leave it latent until the right moment.

This infiltration can easily go unnoticed during this time of year, and the malicious code sitting within the company system may not be exploited for several months. By the time the threat actor is ready to launch their attack, they have everything they need in place to steal data, transfer money to their own accounts, or wreak havoc.

Post-holiday threat-hunting activities can help Australian businesses find these pieces of malware and safely remove them from the network. Threat-hunting activities were recently legislated in Singapore, and we believe it is advisable for all Australian businesses to conduct them.

What is Threat Hunting?

Threat hunting is a proactive effort to search for signs of malicious activities that have evaded security defences within an organisation. Threat hunters are able to uncover hidden threats that may be waiting to execute an attack or find events that have already compromised the environment.

Effective threat hunting helps uncover hidden advanced persistent threats (APTs), cybercrime, policy misuse, insider threats, poor security practices, and environmental vulnerabilities. The activity aims to identify attacks that slipped past your defensive shield.

Meeting Threat Hunting Standards

In most countries in the Asia Pacific, the legislation mandates that organisations should collect and store logs of all attempts to access the company’s network and digital assets, as well as the number of network connection attempts from both within and outside the company. Best practice for cybersecurity hygiene also encourages organisations to collect and store firewall logs, DNS logs, web proxy logs, and NIDS/NIPS logs.

The logs should use a consistent time source, be protected against unauthorised access, and be stored for a minimum period of 12 months. Moreover, it is best if the logs are monitored by a log retention policy with a log file structure that facilitates analysis. These logs should be available for any threat-hunting investigation.

While some legislations in the region only require a threat hunt or a compromise assessment every year or so, organisations would be well served to complete a threat-hunting exercise annually following the holidays. Any cybersecurity risks that are identified during the threat-hunting exercise should be included in cybersecurity risk assessments to ensure that any found threats are assessed, mitigated, and tracked. Additionally, they should investigate those threats to determine whether any incident took place in the past.

Threat Hunting in Practice

While the concept of threat hunting seems reasonable, it is quite challenging to do in practice. Threat hunting across various security technologies and disparate log data is challenging; this is why XDR vendors are able to offer a much more efficient solution to threat hunting. Collected endpoint data includes all network connections, file events, and registry events. This creates a rich hunting ground to proactively identify hidden threats, risks, and vulnerabilities and empower your team to mitigate risks that degrade your security posture proactively.

However, even with access to this vast collection of data, without automation and AI, it is still challenging to hunt effectively without a full-time team of threat intelligence experts, malware reverse engineers, hunters, and investigators. For this reason, cybersecurity vendors offer a threat hunting/compromise assessment service. For example, some cybersecurity vendors provide expert hunters that will leverage their proprietary hunting methodology and intelligence enrichment to hunt your global environment and provide a prioritised roadmap of identified threats and risks with mitigation guidance for every finding.

Benefits of Threat Hunting

Threat hunting allows security teams to proactively get ahead of the latest threats by hunting for malicious activity. It helps to improve a company’s true risk posture and prevent any number of cyber incidents from progressing into full-blown attacks. When threat-hunting activities are complete, they provide confidence and peace of mind to security teams who no longer need to worry about latent threats hiding within the network.

Strengthening Your Security Posture

Threat hunting is an important element in building up an organisation’s security posture. However, for organisations to stay safe, they need to ensure they have the right tools and processes in place to conduct the hunt. Otherwise, they may pass over a threat that is hiding in plain sight.

By Niranjan Jayanand, WatchTower Threat Hunting Manager - Asia Pacific, at SentinelOne

• Prev
• Next