InfoSec Insider

The 4 Critical Building Blocks for Digital Threat Hunting

Having the right set of broad data is the linchpin to effective threat-hunting.

There was a time when no one could predict the weather – the only way you knew if a blizzard or heat wave was coming was by observing the snowflakes start to fall or the heat inch towards the unbearable. That changed when technology was developed to help people anticipate and prepare for extreme weather conditions – though it took a while to adopt.

We are in a similar moment with cybersecurity; we now have technology to help businesses prepare for what’s coming. And unlike with, say, hurricanes, you can do more than just prepare. You can prevent potentially catastrophic situations from happening altogether.

Whatever your industry, you should assume that your company’s data is at risk. That’s not cynicism; it’s the reality of life in the digital age, just like extreme weather is a fact of living on Earth. But accepting that reality doesn’t mean succumbing to the inevitability of being hacked. Understanding that your data is at risk is the first step toward securing your company’s (and your customers’) information.

Four best practices can help you establish a digital threat-hunting process will make your business stronger, more secure and more adaptable as risks evolve.

Up to this point, most companies have spent 90 percent of their security budgets protecting their perimeters, according to our data. While important, cyber-threats have taken on many different shapes as the internet has grown up – and the business perimeter is no longer the only place to take a stand in protecting an organization. The explosion of social-media platforms, connected things, e-commerce, mobile devices and cryptocurrency have all created dynamic new attack surfaces, and the number of risks is on the rise.

Your business’s attack surface includes everything you own on the web, whether you know about it or not. This includes your corporate website, marketing websites, cloud-services accounts, mobile apps and web servers – and it’s all discoverable by hackers on the internet.

So, the first step toward securing your data is analyzing any threats that could originate beyond your firewall.

In fact, our analysis shows that more than 75 percent of threats from external attackers occur outside the firewall, indicating the need for an approach that takes into account the constant, growing onslaught of attacks originating from the wider connected world.

It’s also important to be aware that there are a number of data sets you can use in threat hunting, including WHOIS data, SSL certificates and passive DNS, among others. To take one example, WHOIS data provides insights into who owns a particular IP address, domain or subnet. That information can help you zero in on a threat actor’s infrastructure by investigating suspicious domains that are registered to the same account.

Because cyberattacks are growing in number and sophistication, it may seem like hackers are all but impossible to defeat. But they make mistakes. Threat actors leave signals when they set up malicious domains or create email accounts that they’ll later use to execute phishing scams—and you can use those signals to expose them.

For example, you can maintain databases built from crawling the internet that can be used to make connections between these signals. If you have, say, DNS or hash information, it can really open up your understanding of a threat if you’re able to tie it to other information. Host pairs, for example, are patterns generated by identifying references or re-directions on a page to other websites, in order to confirm that the attack originated from external sources.

To return to the WHOIS example, you can use ownership records to pinpoint suspicious patterns or compile an attack timeline using domain registration or expiration periods. For instance, a domain that’s been newly created may indicate malicious activity, because domains are often registered close to an attack. Or an older registration date may confirm your instincts to investigate because the attacker appears to be using hijacked domains or compromised hosts.

Each data set brings its own clues to light.

Collaboration is essential to swift threat identification. When teams work in silos, they miss important attack signals. The security and IT teams should be working in close collaboration with one another and with their vendors to ensure that they’re optimizing their processes.

Large organizations have long understood that threat intelligence gathered from multiple sources leads to the most valuable and actionable insights, and they’ve built out sprawling networks around that knowledge. Smaller companies, on the other hand, have historically believed that this type of infrastructure was beyond their grasp.

However, smart threat management is more about philosophy than resources. Yes, you will need to invest time and money into a strong security strategy. But collaboration is achievable regardless of your company’s size or capacity to buy software.

If they aren’t already collaborating, bring together everyone involved in your security management. Peripheral departments should be looped in on new security measures and best practices as well. Although your security experts/software will be scanning for scams, you’ll want other employees to be on alert for suspicious activities, too.

We all face the same challenges, so studying and engaging one another on what’s working makes everyone’s proactive threat-detection techniques that much stronger.

 

 

Your digital presence grows all the time to include ever more websites, apps, landing pages, devices, mail servers and other digital assets. And as your presence grows, so do the security risks.

Threats scale across the internet, which is to say they have no boundaries. To proactively identify and strategize around those risks, you need data that scales the same way. This includes passive DNS information, SSL certificates and other key indicators. Being able to pivot across these rich and growing data points can help you understand the risks associated with your externally-facing digital presence.

Bottom line: Gathering raw data matters because cyberattacks are an omnipresent threat. Anywhere your business has a presence on the web, you face risks from malicious actors. But anywhere they have a presence, they risk exposing themselves. The more data you capture and the more you can encourage collaboration to uncover who your adversaries are based on their past behaviors, the better equipped you are to grasp the full spectrum of their threats.

Brandon Dixon is vice president of product at RiskIQ. He has spent his career in information security performing analysis, building tools and refining processes. Prior to RiskIQ, he was the co-founder of PassiveTotal (acquired by RiskIQ), where he led development and product direction. He also has developed several public tools, most notably PDF X-RAY, and NinjaJobs. 

 

Suggested articles