‘There’s no reason to wait to begin threat hunting,’ so here are 4 ways to get started

This content is sponsored by Booz Allen.

Senior U.S. officials are strongly urging organizations to upgrade their cybersecurity postures and prepare for possible disruptive cyberattacks. One way for nearly every agency to improve its cyber defenses is to engage in proactive and continuous threat hunting.

“There’s no reason to wait to begin threat hunting,” said Mike Saxton, director of federal threat hunt and digital forensics and incident response at Booz Allen. “Threat hunting doesn’t need a perfect environment. It isn’t a state that you achieve and then you conduct it; you can do threat hunting at any time. And the sooner agencies begin, the better they’ll understand how it fits into their overall strategy. And they’ll be able to have better insight into the environment and their security posture.”

Every agency is going to have a different approach to threat hunting, based on its needs and organizational structure. But across every environment, proactivity is the key to doing it well. That means not just proactively monitoring and hunting on the network, but also collaborating with multiple organizations to share threat intelligence, indicators and observations.

“That element of distribution serves to empower the others. If you go back a number of years, when the defense industrial base came to face the fact that it had a notable foreign presence on the network, the large defense contractors began to work together cooperatively to share a lot of this information,” said Brett Scarborough, portfolio growth principal for Booz Allen’s National Cyber platform. “And eventually that matured into more formalized constructs with federal and industry participants: the Defense Collaborative Information Sharing Environment, and now the Joint Cyber Defense Collaborative. We’re seeing that evolve today with CISA really taking a leadership role in trying to pull a broader community together outside of the DIB to do many of the same things.”

The current state of threat hunting is a maturation of security operations programs. But security operations teams are suffering from a combination of alert fatigue, high turnover, ill-defined statuses, and lack of time to correlate intelligence. Because adversaries are constantly penetrating networks, security operations teams spend all their time on day-to-day defenses, and rarely get the opportunity and time to explore anything deeper.

Threat hunting arose out of that situation. And when threat hunters conduct missions, they have two options available to them: They can hand it off to the already overworked security operations team, or they can gather more data. That’s where threat intelligence, digital forensics and incident response come in; they put a few more tools in the toolbox of threat hunters. The more data they have, the better they can perform their roles in the future. As a result, Booz Allen’s Federal Threat Hunt Team sees an average of an 80% true positive rate vs a 30% true positive rate from SOC teams due to the ability to focus on specific incidents rather than defending the immediate threat.

“At the end of your hunt mission, you can have the ability to collect all of your data into one location. And that gets you to a certain point, but it may not close out the hunt or the case,” said Saxton. “Traditionally, the data that you need to finish out that case may not or is most likely, usually never the data that is currently coming into your security information and event management (SIEM) tool. So if you conduct a threat hunt on a data lake or within your SIEM, and it tells you that something bad has happened, sometimes you may need to reach down into that device or system. EDRs are a great way that you can then go out and begin doing things like dumping memory or displaying all running processes.”

That’s why Saxton says true threat hunting is bidirectional. It’s not just about bringing more data to the analyst. It’s about giving the analyst better access to the endpoints to further their hunt mission.

Because threat hunting is largely intelligence driven, there’s a need to correlate both these digital forensics tools and the intelligence sharing. A good threat hunting platform will bring together all the available data and distill it down to what’s actually being seen on the network. One piece of intelligence can help narrow down billions of alerts to millions, and then the next narrows it down to thousands, and so on, until there’s a lead worth pursuing. The best threat intelligence is the intelligence generated from one’s own environment and correlated with other security operations data.

To increase the scale of threat hunting across the federal government, there are four initial steps agencies can take. First, agency CISOs or security leads should identify an area to investigate further. Often in daily operations, SOC teams are so focused on the immediate threat they may find difficulties in trying to explore in-depth investigations further. Second, once a topic has been agreed upon, organizations should devote a small team to determine the necessary coordination capabilities, intelligence sources, and the data analytics specific to the topic. Third, they should deploy pilot capabilities, and connect them to the intelligence sources and analytics. Automation can help facilitate those connections. Finally, once those pilot capabilities begin threat hunting, officials can use the lessons learned from those pilots to build a distributed threat-hunting capability across the federal government, with the Cybersecurity and Infrastructure Security Agency coordinating those efforts centrally.

Similar to other technical fields, anybody can kind of jump in at a maturity level, and take some time to really begin to explore doing it,” Saxton said. “It’s not about the tools you have in place, it’s not about the capabilities that you may have, it’s really about just setting time aside to conduct some focused approaches to diving a little deeper down than the alerts the SOC is receiving. But also taking some of that threat intelligence we talked about and putting it all to good use.”

Hunting cyber threats on a federal scale is a unique cybersecurity challenge. Here’s how CISA and agencies can do it.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.