Using Threat Hunting to Fight Advanced CyberattacksConstantly Look for Anomalous Behavior in the Network in Real Time
Protections against known threats is no longer enough as hackers become more and more aware of the security technologies and strategies being used by organizations. This problem is compounded by the increased use and evolution of advanced threats (like malwareless or fileless attacks), which undoubtedly makes the identification of threat origins much more complex. In fact, detecting advanced threats requires total visibility. And not only that, security pros also need to be able to look back in time to see what’s happened on the network. That means the telemetry that underpins the visibility of activity must be accessible (for at least a year) to allow teams to "go back in time" and investigate threats that may have remained hidden.
See Also: Critical Access Management eBook
To detect such threats, it’s necessary to perform proactive searches that allow security analysts to "hunt" for suspicious activity that has evaded traditional protections, rather than focusing on a post-incident investigation. Having a strategic attitude, or at least a strategic standpoint against possible attacks, is also key. This security strategy is directly related to what’s known as threat hunting.
Having a strategic attitude, or at least a strategic standpoint against possible attacks, is key.
Threat hunting is not about detecting known threats or Indicators of Compromise (IoCs). It’s intended to find new attacks that may have slipped under the radar with other security technologies. That’s the reason it’s based on Indicators of Attacks (IoAs). When reacting to something like a vulnerability that has already been implemented, IoAs take a proactive philosophy. In other words, they don’t intervene when the attack has already happened, but rather when it’s taking place, or even before it can become a real threat. So rather than identifying traditional malware, ransomware or phishing attacks, threat hunting detects hackers using trusted and administrative applications that are execute malwareless or fileless attacks that have stolen admin credentials and are freely moving in the network.
This approach requires a high level of cybersecurity maturity and is based on the proactivity of cybersecurity experts who constantly look for anomalous behavior in the network in real time – and utilize the latest artificial intelligence and machine learning algorithms to reduce exposure times to attacks. Unfortunately, cybersecurity experts are a scarce commodity today, and few companies or partners have the knowledge and resources to have a SOC that includes advanced threat hunting capabilities. For this reason, most companies and partners delegate (at least partially) the threat hunting service to their security provider.
To help address this challenge, WatchGuard’s Endpoint Security solutions include a Threat Hunting service that automatically detects suspicious activity, compromised computers and attacks at an early stage. The service also ensures that each endpoint action is traceable and provides deep insight into the attacker and their activity, which streamlines forensic investigations across applications, users and machines. This allows for fast and effective security policy adjustments to mitigate future threats.
In order to secure and maintain an IT infrastructure, a cyber defense strategy needs to be able to detect all anomalous activity as early as possible, identify it and react quickly to the incident. That’s the only way to ensure organizations stay one step ahead of adversaries.
WatchGuard’s mission is to help organizations and MSPs modernize and expand their security deliver by offering scalable, unified security platforms. To learn more about the added value of threat hunting services, check out this on-demand webinar and learn about the strategic value of Threat Hunting in cybersecurity.