The Future of Threat Hunting
The Future of Threat Hunting
Rakesh Nair, Founder
As the cybersecurity industry continues to make tremendous technological progress, criminal organizations and nation state adversaries continue to evolve as well. As an industry, it is more crucial now than ever that we continue to push for innovative technology solutions that allow us to see the current blind spots we face.
“The Achilles' heel of threat hunters today is the sheer volume of telemetry being collected by organizations.”
Feeling the need for improved visibility, organizations have pushed to collect more and more telemetry over the last decade, ultimately leading to exponential growth in data volume. This has created a new problem as voluminous network metadata and endpoint data has reached hundreds of terabytes, even in moderately sized environments over short periods of time. Bad actors are taking advantage of this as threat hunters are unable to manually mine through even a fraction of this data. Adversary activity is able to easily diffuse into this massive data volume, rendering most threat hunting programs less effective. Even the most skilled threat hunters are being overwhelmed with the data volume and are unable to trace attack paths to protect their respective organizations.
“More and more organizations are forced to adopt threat hunting to detect sophisticated adversaries.”
If we look at the most recent SolarWinds breaches, the attackers evaded existing defenses for months. One of SolarWinds customers, FireEye, was the first to detect the breach, citing activity dating back to March 2020. The evasive hackers were able to go undetected inside the victims' environments, giving them access to secure information over a long period of time. These are sophisticated actors that know the trip-wires associated with simplistic rules and analytics people use to find them. The SolarWinds breach exemplifies organizations' need for effective and proactive threat hunting.
“There is no way to reconcile the need for threat hunting with the volume of data without machine-assistance.”
The only path out of this quandary is to find solutions that enable threat hunters to effectively hunt faster. In order to allow hunters to do machine-assisted hunting, we need to automate the data mining process. Organizations need to allow machines to do what they are good at – mining through terabytes of data at machine speeds. With this assistance, hunters can trigger hunts based on interesting IoCs and behaviors, enabling them to effectively hunt an order of magnitude more than what they can today. Adding machine-assistance to aid human hunters will help organizations gain visibility into all of the attackers’ steps, every lateral movement activity, usage of living off the land binaries, and persistence technique employed, ultimately showing the attackers’ complete footprint across the entire environment.
“With machine-assisted hunting, threat hunters can trigger an order of magnitude more hunts, while allowing machines to mine through terabytes of data and bubbling up prioritized and pre-investigated stories.“
Looking ahead, it is not only crucial for organizations to prioritize the threat hunting process in order to look for sophisticated threats, but to also equip the hunt team with machine-assisted hunting tools that will enable them to be as effective as possible. In doing so, threat hunters are no longer constrained by data in their efforts to identify attackers in actions. Not only does dwell time decrease, but hunters can effectively begin a proactive threat hunting process without any restraints. As criminal organizations continue to think proactively, we must too.If you are interested in learning more about autonomous EDR hunting and how it can empower your threat hunting team with the necessary tools to stop malicious actors in their tracks, download Kognos’ EDR hunting datasheet.FIREEYE BLOGTHWARTING ATTACK CAMPAIGNS IN 2020
THE KOGNOS DIFFERENCE