By Vaibhav Tare, CISO & Global Head – Cloud & Infrastructure Services, Fulcrum Digital Inc.
Amidst the range of cybersecurity strategies that organisations have at their disposal to protect themselves against cyber threats, two complementary approaches stand out for their efficiency and effectiveness – Threat Detection and Threat Hunting.
Threat detection is a defensive approach that is focused on responding to alerts generated by automated security systems. It involves proactively identifying indicators of compromise, such as suspicious behavior or malicious activity, in order to safeguard networks and systems from attack.
Threat detection systems provide valuable insights into the kinds of attacks being launched against organisations, as well as the likely motives behind them – which enables them to proactively identify and swiftly respond to emerging threats.
Some fundamental examples of threat detection techniques include firewalls and antivirus software. If used the right way, they can eliminate the vast majority of threats, particularly less sophisticated ones. Penetration testing, honeypot, and intrusion detection systems are some advanced techniques that can be used to identify and mitigate more sophisticated threats.
Threat hunting, on the other hand, leverages the knowledge of experienced security professionals to proactively look for security threats and incidents. It’s an offensive tactic that requires a thorough understanding of the procedures, tools, and techniques used by malicious actors in order to predict their moves and block them from taking any damaging action against the organisation. Threat hunting is also used to uncover unknown threats and previously undetected malicious activity that may have been missed by the automated threat detection systems.
Effective threat hunting requires a strong understanding of the organisation’s attack surface, and associated risks, on the part of security teams. Beyond mere detection and response, they need to proactively take preventive measures to reduce the attack surface and minimise the damage that any successful attackers can do. They also need to audit and update existing security controls to ensure that they are functional and effective against the latest threats.
Essentially, threat detection focuses on the identification of evidence of an attack (such as signature-based detection or linked events), while threat hunting involves more proactive methods of tackling cybersecurity issues. Both methods, when used in tandem, are highly effective at safeguarding organisations from cyber threats.
There remains however the need for a more advanced cybersecurity approach capable of locating the very rare attacker who manages to stay undetected.
Internal and external threats
Organisations face threats from both rogue and dishonest insiders as well as malicious outside attackers, who exploit information technology to carry out sabotage or fraud. Authentication and authorisation, patch management, encryption, and data loss prevention are some of the technologies that can be deployed as counter-measures against these threats.
Threats from ‘insiders’ might possibly be more challenging to detect. This is because access to confidential information is often needed for some jobs, making it difficult to distinguish between legitimate workplace behavior and malicious behavior. However, irrespective of whether they originate within or outside the organisation, some sophisticated cyber threats succeed in evading detection for weeks or even months. During this period, attackers likely compromise or steal sensitive data. To prevent such an eventuality, organisations need to ensure the monitoring of access to sensitive data as well as the enforcement of appropriate security protocols. Thorough risk assessments, implementation of robust data access
controls, regular audits, and training staff in cybersecurity best practices are some of the measures that will be valuable in this regard.
Nonetheless, threats that originate within the organisation remain a particularly challenging and prevalent problem. Proactive threat hunting aims to combat such adversaries that already exist in the organisation’s environment without yet showing any signs of compromise. Specialised tools are deployed to identify vulnerabilities within the system and address them before they can be exploited.
Threat hunters make use of advanced user behavior analytics to pinpoint the most elusive traces of compromise. Monitoring user and contextual data enables them to identify and analyze anomalies in user behavior – a process that helps detect and investigate suspicious activities, uncover malicious actors, and understand the scope of the threat before the organisation faces any significant adverse impact.
The best of both worlds
To effectively safeguard the organisation from both internal and external threats, advanced
technologies and human cybersecurity expertise are both essential. Leveraging threat detection systems enables the CISO (Chief Information Security Officer) and his team of threat hunters to identify even the minutest signals of possible insider threat activity and put preventive measures in place to counter such threats in a timely manner. Moreover, by monitoring the cyber death chain on a daily basis, the team will be able to proactively detect and tackle any threats that manage to slip through the cracks.