How To Properly Define A Threat Hunting Operation

In cyber security, the definition is highly inconsistent from one environment to the next

Add bookmark

Julian Waits was the guest on episode #88 of Task Force 7 Radio to talk with Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, about how to properly define a threat hunting operation. He also told the audience what he thinks is the biggest problem in cyber security today, he opined on where insider threat operations should lie in the IS organization, and if more data is always better when it comes to predictive analytics.

Rettas also asked Waits how important it is for an analyst to be able to visualize data in order to process it in real time, how next generation security tools go about prioritization, if it is really feasible to achieve real-time identification and mitigation of cyber threats, and if scalability continues to be one of the biggest problems for tooling in large organizations. The duo also tackled the issue of centralizing the data analytics efforts of the AML, fraud, and security domains.

Diversity In Cyber Security

Rettas dove right into the first segment asking Waits about the biggest problem in cyber security right now. Last episode, CNBC Cyber Security Reporter Kate Fazzini said the biggest problem is communication. But according to Waits, “for me that one's pretty simple, George. It's people. Meaning, the way that the internet has evolved over time has gone from mainframes to everything being available on our endpoint devices whether it's our iPhone or Android or our laptop, the issue becomes being compromised is just a reality that's going to happen, and with so much data rushing into your network there's not enough programs, applications to keep up with it. The only thing you can have to deploy against this is people, and there are just not enough people in the industry, certainly not on the side where we're fighting the attackers.”

Waits explained that until we as a nation, or as a populace, really take this seriously, there will be a talent shortage — not because there aren’t talented people out there, but it exists because there’s a lack of awareness. Cyber security is one of those disciplines where everybody thinks is too difficult and complicated. “Until we change our attitude, the problem’s not going to get any better,” he said.

Agility And Speed In Cyber Security Operations

Rettas next asked, “How important is speed in the security operation in your mind?” Waits said that speed is critical. “It takes seconds to be compromised and it can take months, a year or more to find out, how material that compromise is to your business, and so you've got to be able to move in seconds. It's your reputation, it's your business, from an interruption perspective, it's everything. Speed is everything in the hunt,” Waits added.

The insider threat is probably one of the top material risk of any firm out there probably across the industry, but where does that belong in the whole operation space? Should it be its own stand-alone team or should it be integrated into the SOC?

Waits said that insider threat is a team exercise. Most employees go to work every day wanting to do the right thing, support their businesses and help the company grow – and take care of themselves in the process. “Sometimes insider threat is not even the employee realizing that they created the threat, they made a mistake, they clicked something that they shouldn't have, and all of a sudden now their identity has been hijacked by a set of attackers, and so if you don't have the SOC in other components of the organizations, even HR for that matter, right, participating in the process, you lose and the bad guys win,” Waits said.

He added, “I think it absolutely has to be a component of a security operation center. Silly to think of it... if your security operations center is your centralized area for where all of your events are coming in, not having insider threat as a component of the things that the SOC is monitoring and attempting to go after is crazy. At the same time, other organizations like human resources and that is half that participate in that process because insider threat, like I said, it becomes very complicated because when is it no longer insider threat and an outside attacker that's hijacked an identity in the enterprise.”

Is More Data Always Better?

When it comes to predictive analytics, Rettas wondered if more data is always better. According to Waits, there are infinite amounts of data. But, people need to start with what are the assets or things within their environment and about their people that are most important to the business.

Since companies know they can’t stop a breach from occurring, they have to ask what’s most important to the business. “If I'm a retailer man, that POS database, the personally identifiable information about my customers, their credit card information, that's the thing that's most important, and while there may be a hundred ways to get there, how do I lock that down and the data about that stuff, if I'm a retailer is the most important data that I need to protect,” said Waits.

Waits offered a personal example: “I was a Wells Fargo customer. There are no Wells Fargo banks in Malta just for the record, and I get an email from Wells Fargo saying, hey, you've been compromised due to the target breach. Even though I live on the East coast somebody had just purchased three big screen televisions in LA and they cut my ATM card off and my credit cards off. The next thing I'm borrowing cash from a friend in Malta because I didn't have my credit card. I would tell you that more data just for data's sake is stupid in my mind: More data around the things that are critical to your business — go for it.”

The Definition Of Threat Hunting

According to Waits, the definition of threat hunting is highly inconsistent from environment to the next. “First we've got to define what threat hunting is. I love when I go to trade shows to speak on security panels and vendors claim to be threat hunting vendors. It's not a vendor, it's not a product. It is a freaking process,” Waits asserts. “The reason it [threat hunting] exists is because of the fact that we all know the breaches will get in. It's not a question of whether we've been compromised. It's a question of how material is the compromise in my environment, and of course materiality is a major component of speed as you discussed earlier. The faster I can find a breach hopefully the better I am at minimizing its impact on my business, on my customers, on my reputation and so on.”

To Waits, threat hunting is a proactive exercise to go after a reactive problem of cyber breaches and the processes to me that are necessary for threat hunting. Again, they should start with business impact analysis. “While I want to catch every threat, I'm not going to catch every threat. There's not enough data. There's not enough speed. There's not enough people. I'm not going to catch every threat. If I'm going to have one, I need to threat hunt with a purpose. What are those anomalous things that I'm looking for in my environment that impact, again, those assets, those applications, and those people that are most important to my business.”

Waits continued, “Threat hunting to me it's ... you're looking for anomalous behaviors either by machine accounts, again, if I have a dummy user address or administrative user address for critical databases in my environment that have critical data, I definitely want to look at those ... look at activity by those identities in my environment and look for weird things that are happening, anomalous things happening in my environment and threat hunting is a component of it and it's both people and it is applications participating together in the process. Matter of fact, I would tell you it is applications enabling people to do it properly.”

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub. To listen to this and past episodes, click here.

Read the previous week’s TF 7 recap: “The Biggest Problem In Cyber Security Right Now


RECOMMENDED