Threat Hunting – Is your security stance proactive or reactive?

Threat hunting starts with the assumption that bad actors have already breached perimeter defences and are operating inside the environment. The goal is to proactively detect malicious activity by forming hypotheses about how attackers may have penetrated defences, which systems are compromised, and what data they may have accessed.

The challenge of hunting bad actors, insider threats, and advanced persistent threats within an enterprise has increased exponentially as the IT landscape moves away from traditional datacenters and application architectures and towards hybrid and distributed environments comprised of highly virtualised and containerised assets. The sophistication of bad actors has also increased, reducing the security value and timeliness of self-reported data such as logs, SNMP, and NetFlow metrics.

Security practitioners appreciate the idea of seeking out active threats instead of waiting until notified, but few organizations are being as proactive as they would like. In a 2018 survey of 461 cybersecurity professionals, Crowd Research Partners found that respondents spent much more time (60 percent of time) reactively investigating security incidents through activities such as alert triage than they spent proactively seeking out threats (only 40 percent of time). The same survey said that only 24% felt enough time was spent searching for emerging and advanced threats.

Early industry feedback on Threat Hunting is encouraging, with a vast majority (88 percent) of respondents reporting reduced dwell time (the period from initial infection to detection) as a result of their threat hunting efforts.

With ExtraHop automatically discovering, classifying, and monitoring active network assets, the resulting real-time analysis of all transactions on the network (data-in-motion) provides Cyber Protection Teams (CPTs) with frictionless access to what matters: a high-fidelity dataset that would otherwise require stitching together of multiple low-fidelity data sources and manual hunting for evidence.

Machine learning performing behavioural analysis on critical assets provides further advantages, approximating advanced hunting expertise and business insights to direct attention to subtle and sophisticated attack activities. When evaluating platforms for CPTs, it is important to consider the following:

• Does this solution make it easy to collect low-noise, relevant data and highlight meaningful anomalies?
• How easy is it to search through data, derive insight from it, and rapidly act on that insight?
• How easy is integration with existing security workflow and orchestration platforms?
• What impact will this capability have on time-to-detection and time-to-resolution?
• What kind of breadth and depth of information does this solution offer?
• How easy is this platform to deploy and what impact will it have on the environment?

The ExtraHop Reveal(x) platform is purpose-built to address all of these considerations, and greatly increases the level of visibility and effectiveness of Cyber Protection Teams.

By using ExtraHop as an automated or real-time threat hunting platform, you can dramatically increase the depth and breadth of visibility while decreasing the amount of time and effort needed to derive actionable intelligence.