We’re Going on a Threat Hunt: Why enterprise cybersecurity reminds me of a classic children’s book

1561

For more than 25 years Michael Rosen’s charming story “We’re Going on a Bear Hunt” has captured the imaginations of millions, transporting readers on an adventure to “catch a big one” while overcoming a series of challenges along the way.

With new threats encountered at every turn, this epic childhood quest is not too dissimilar from the undertaking most organisations face when hunting down cyber threats in a modern IT environment.

Let’s go on a threat hunt!

We’re going to catch a big one

Not all enterprise threats are going to be big. In fact, lots of smaller issues, if unaddressed, can add up to the infosec equivalent to the Death of a Thousand Cuts, with attackers chaining together many vulnerabilities to achieve their goals.

Being fixated on the big logoed vulnerabilities talked about in the media means you will always be on the defensive. To regain the upper hand, organisations need to focus on the little things, like practicing sound security fundamentals, while at the same time transforming their security model from one based on playing defence to a proactive one based on comprehensive security assurance.

Long wavy grass

Trying to push through the tall grass is akin to security teams expending time, energy and resources on reactive measures that do not actively improve their organisation’s security program.  Being caught in the “cyber weeds” can become overwhelming and can leave the security team feeling as if they’re continuously in crisis mode with no clear context or visible solution. In fact, a study sponsored by Tenable Network Security last year, found that security practitioners felt overwhelmed by the scale of the threat environment, citing it as one of the major challenges they faced.

Without a clear view or direction, getting out of this vicious cycle often feels insurmountable.

A deep cold river           

While you can see what’s on the surface of a moving river, there is the likelihood of unseen creatures swimming below.

Similarly organisations often struggle to see what’s hidden in the deep flow of information moving about the enterprise. How do you make sense of all the security data coming your way to find the signal in the noise?

Without a continuous view of what lies beneath,  breaches could be drifting past undetected and the smallest of rocks quickly become a trip hazard.

Thick oozy mud

Just like the story adventurers get bogged down in sticky mud, so too can the enterprise if it doesn’t keep advancing.

Organisations will often rely on periodic scanning to identify system vulnerabilities but this can lead to lengthy delays in reaction times and reduced visibility. Without the proper context it can be a challenge to determine the difference between muddy and solid ground. Rather than sinking further into the quagmire, organisations need to discover in real-time where the dangerous terrain lies, with the context necessary to correctly prioritises weaknesses, take action and ultimately, steer clear of sticky situations.

A big dark forest        

Can’t see the wood for the trees” is a popular saying when someone is struggling to see and think about a problem or situation holistically. For IT professionals, it can be a challenge to communicate the status of their security program in a way that is easily understood by the board and C-level executives, especially with competing issues vying for their attention. CISOs can help focus attention by reporting the security metrics and risks with commercial scenarios and the proper business language that illuminates the dangers in a way the board not only understands, but will react to.

A snowstorm   

Snow storms are usually relentless, with snow piling up fast making it hard to keep everything clear, especially the roads. If road crews let the snow settle, then they have to shift it, but it is possible to keep critical networks clear and roads safe by proactively salting to dissolve the snow on impact.

Similarly, businesses need to focus on what’s important in the environment, and how to protect it, rather than every snowflake that may fall. Proactive cybersecurity measures can maintain a smooth network operation, and prevent malicious threats from accumulating and crippling the security program. Patching a vulnerability in Flash or other popular plugin targeted by exploit kit authors is far more effective than trying to detect malware once it’s landed.

A narrow gloomy cave  

Entering a dark place without knowing what lies deep within can be extremely daunting, and illuminating every corner is not always possible, even with the most powerful torch. The same can be said for enterprises facing perimeter erosion from shadow IT, particularly with transient devices and rogue cloud applications that connect to the network without the knowledge or control of the IT security team.

It’s impossible to defend assets if they’re undetected, but even identifying their existence doesn’t immediately neutralise the risk. Having ways to identify and control assets beyond the organisation’s perimeter is of paramount importance.

It’s a bear         

Having discovered the bear in the original story, the expedition is quickly spooked and runs away.

However, running away from security threats isn’t an option for today’s modern enterprise. That’s why it is critical for an organisation to devise a plan that deals with the inevitability of discovered threats and prioritises the most efficient and effective path forward.  To help them get started with their “Enterprise Threat Hunt,” here are six tips from Tenable Network Security:

  • If you cut the grass then you don’t have to go through it, and fixing the problems that cause the most issues will reduce the volume of alerts.
  • Like a radar, use threat feeds and continuous network monitoring to look for hazards and identify objects below the surface of the information river flowing around the enterprise.
  • Deploy real-time awareness to quickly prioritise dangers and take action to avoid becoming stuck in the mud with limited visibility and lack of context.
  • Build effective communications and goals between the security team and the board that will help drive the business in the direction of a secure future.
  • So you can ‘salt’ effectively, networks should be cleared by ensuring defunct systems and unused credentials are removed. Archive old data, patch easily exploitable vulnerabilities and decommission outdated applications so resources can be focused on the critical routes, rather than alleys and gutters.
  • Finally, illuminate all the nooks and crannies in the enterprise with continuous visibility so nothing can hide.

From an enterprise perspective, a threat hunt is an epic journey of discovery. By tackling the biggest failings first to help give a clearer view, placing defensive controls in the areas that hurt specific attackers the most, and taking decisive action around what matters most will stop the desire to turn tail and run away when a threat is discovered.

Good luck hunting.

About Gavin Millard
Gavin-MillardGavin Millard, Technical Director EMEA, Tenable Network Security
Gavin is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously worked as the Europe, Middle East and Africa (EMEA) technical director for Tripwire. He has also spoken frequently on data integrity, hacking and other key security topics. Current Position: As Technical Director, EMEA, Gavin is involved with the major clients in the EMEA region, helping to manage and reduce their attack surface.
In this article