Threat actors are continually developing new ways to steal data, disrupt businesses, and create reputational damage. CSO Online covered seven potential cybersecurity trends for 2018, including AI-powered attacks, sandbox-evading malware, ransomware and IoT, a rise of state-sponsored attacks, the adoption of more sophisticated security technologies, emerging standards for multi-factor authentication, and a string of companies that will fail to comply with GDPR regulations. Under such circumstances, organizations must improve their prevention mechanisms against never-before-seen attacks and reduce time to detect resident adversaries. The organizations — especially the financial sector — will want military-grade capabilities to anticipate threats, pinpoint money laundering, and prevent banking frauds. For this to be done effectively, enterprises need to integrate threat-hunting solutions alongside their already-deployed security systems such as SIEM and antivirus products. According to a 2018 Threat Hunting Report published by IBM Security, 40% of organizations across the globe are increasingly using threat-hunting platforms. Threat hunting as a tactic is quickly gaining popularity, and enterprises are marshaling resources to make the switch from reactive to proactive defense tactics. In the following sections, we will explore the essential attributes of threat-hunting solutions and discuss some reliable products.
What Are the 4 Most Important Attributes of Threat Hunting Solutions?
Adversaries are increasing their number of targets significantly faster than the enhancements than organizations can respond. Even current threat-hunting solutions are unable to provide 100% security. However, your organization should look for a reliable and effective threat hunting solution that has the following crucial attributes:
Stealth
If an adversary successfully discovers your corporate security controls, they will either tamper with them, disable them, or simply alter the attack plans to avoid detection. Threat-hunting solutions need to be equally stealthy, hiding their presence from the enemy. Doing so can trick adversaries into believing that they’re working unopposed, so they’ll take fewer precautions and get themselves caught.
Enterprise Integration
Your threat-hunting solution must be integrated with other security solutions in your enterprise. Integration with an existing security investment is also vital to maximizing your Return On Investment (ROI) for threat-hunting solutions. For example, if your hunting solution is properly integrated with an SIEM system, it can instruct the SIEM to enforce remediation actions for changing the firewall rulesets to add IPS signatures. SIEM integration also enables analysts to utilize hunt data when they seek for potential security incidents.
Automation
Automation of threat-hunting solutions plays a crucial part in the productivity and effectiveness of security analysts. With automation, threat hunters are kept free from performing the most challenging and impactful parts of the hunt manually, such as analyzing data collected during the hunt. Enterprises must automate the hunt capabilities as much as possible through the use of hunt technologies. Companies can also develop software, script and other supporting components to offer additional automation and to interface hunt technologies with other tools and functions.
Scalability
Your hunt solution is not limited to current requirements and IT systems. With the passage of time, modern technologies emerge and previous requirements change accordingly. Therefore, your threat hunting solution must be scalable to adopt the change, such as providing support to all enterprises’ new IT assets.
What are Some Popular Threat-Hunting Solutions?
The following sections illustrate some top threat-hunting solutions currently available.
Sqrrl Threat-Hunting Platform: Sqrrl Enterprise
The Sqrrl threat-hunting platform allows organizations to target, hunt, disrupt and investigate advanced cyberthreats. The Sqrrl solution detects adversaries’ behavior through the use of machine learning, peer-group analysis and behavioral baselining. In addition, it identifies threat actor tactics, techniques and procedures (TTP). Sqrrl uses an incident response (IR) feature through which security practitioners can investigate the impact, scope and root cause of an incident. A noteworthy weapon in the Sqrrl arsenal is an interactive visualization tool called a behavior graph. The graph automatically identifies and examines inherent links or connections in data, evaluating their context and deriving new insights for end users to interpret. Through the use of Sqrrl’s profiles, reports and risk scores, security analysts can analyze risks and explore new angles to enhance their automated solutions, which can be beneficial for less experienced hunters. John Breeden II at Computerworld wrote that the Sqrrl Threat Hunting solution is a great tool to hunt hidden threats inside the corporate network, but notes that some of Sqrrl’s readings might be a bit too subtle for inexperienced hunters to note.
IBM i2 Enterprise Analysis
IBM i2 Enterprise Analysis provides threat hunters and analysts with a set of specific tools to detect, disrupt and defeat advanced threats. It is designed to gain actionable intelligence, unearth hidden connections with visual displays, and accelerate data to the point of decision. Analysts can also interpret terabytes of data from numerous sources including audio, video, email, social media and databases with near real-time analytics. This solution offers several resources, including portal analytics and CDW.
Cb Response
Cb Response is built specifically for organizations’ security operation centers (SOCs) and incident response (IR) teams. Unlike other solutions, this platform performs unfiltered data gathering and captures more information with regard to endpoint events. Cb Response’s Collective Defense Cloud tool offers threat intelligence and classification capabilities by strengthening natively designed research and third-party OEMs. It crunches large amount of data related to threats, attacks, and change and behaviors for the purpose of identifying malicious activities. It’s worth noting that a review at Gartner reveals that Cb Response is very complex. Analyzing results can be a daunting task unless the user is an experienced analyst. It offers ease of integration using tools and APIs.
ENDGAME
Endgame is a threat-hunting solution that eliminates the protection gap by preventing sophisticated attacks at earliest stages of the threat chain. It is one of the oldest threat-hunting tools on the market, and the experience of the company is shown in the power of the tools they offer. Unlike some hunting tools, which make their presence known to potential attackers as a deterrent (comparable to putting the home security company’s logo on your lawn), Endgame uses APT-like stealth techniques so attackers don’t know they’re being watched. Computerworld notes that security analysts must change the way they normally think in order to deploy Sqrrl and Endgame solutions properly. These tools aren’t the passively reacting to alerts generated by a SIEM, but aggressively hunting their own networks in order to prey on undetected malware and Advanced Persistent Threats (APTs). Endgame may provide a good way for mid-sized companies to bring a relatively-inexperienced threat hunting department up to speed.
Conclusion
Threat actors are continually developing new ways to compromise corporate networks, create compliance issues and cause damage. To prevent these attacks, enterprises must deploy threat-hunting solutions in addition to other common information security solutions such as SIEM, SOC, firewalls and IDS. Threat-hunting solutions not only detect attacks, but also pursue them before they inflict damage to your organization.
Sources
7 cybersecurity trends to watch out for in 2018, CSO Online Review: Threat hunting turns the tables on attackers, Computerworld
