Much is heard these days about “threat hunting” and it seems this term can have various definitions in the world of cybersecurity today. At a high level, the term “threat hunting” refers to the activity of proactively searching through your environment to uncover potential threats that may compromise – or may have already compromised – your defenses.
In a couple of recent examples, many impacted by the SolarWinds attack and recent Microsoft Exchange vulnerability would have otherwise been thought to be secure. In fact, their systems might have been secured perfectly in every way possible, and they could still have fallen victim to these threats, because simply running an automatic update or using an Exchange server isn’t always enough. Threat hunting works to actively examine your environment to locate systems and devices that have been compromised – potentially those with no obvious reason for a compromise – while looking for malware and other issues with the systems.
Threat hunting is increasingly important because cybersecurity threats are on the rise. Cisco’s Talos team observed a 15 percent rise in pandemic themed email phishing scams in the first two months of 2020 at the beginning of the pandemic and lockdown. Similarly, the Cisco Umbrella DNS platform reported that the percentage of domains blocked as malicious often crossed 50 percent of those being tracked, sometimes peaking as high as 75 percent. No wonder the 2021 Cisco Security Outcomes Study reports that “accurate threat detection” is among the top five success factors for creating a strong security culture.
And size doesn’t matter – many organizations may think they are not attractive targets for cybersecurity thieves to bother with, however this is simply not true. While many large organizations in the public eye have been aggressively targeted by cybercriminals; however, all sizes, all industries across the board have fallen prey to ransomware and other malware threats. The best thing you can do to protect your business from a security standpoint is to first take security seriously no matter what size or industry your business is in. Building your defenses is an ongoing journey. As you begin that journey, some initial actions you can take include:
- Develop an effective, ongoing Threat Intelligence and Incident Response Playbook so you have a solid foundation in place to identify, respond to and weed out threats – and adjust as needed. This will provide you with the appropriate steps to follow when incidents occur and keep stress levels in check.
- Communicate the plan to your team (and potentially, LOB leaders) and assign responsibilities or key tasks so they understand the process and the role they play in it.
- Make it a routine practice to run scenarios with your team to ensure everyone’s on the same page and can respond appropriately. Adjust workflows and build upon the plan where needed.
- Keep in mind that vulnerabilities will occur, and there’s no perfect plan. But stay consistent in your approach and you’ll be better prepared if and when incidents happen.
Want a deeper dive? Check out the Simply Secure: Threat Hunting podcast to hear host Ron Temske and Craig Williams, Director of Talos Outreach at Cisco delve into best practices for incorporating threat hunting into your organization.
Ron Temske is VP, Cybersecurity Network & Workplace Solutions at Logicalis and host of the Simply Secure Podcast