Threat Hunting

22nd April 2021 | Cybrary

Threat Hunting is proactive hunting or searching through networks, endpoints, and datasets to find malicious, suspicious, or risky activity, patterns, or files that evaded existing detection tools. This is different from threat detection which is a passive, reactive approach to monitoring data and systems for potential security issues. Proactive cyber threat hunting tactics can use new threat intelligence on previously collected data to identify and categorize potential threats retroactively and possibly head off a current or future breach.

Defense-in-depth security programs combine passive detection systems with active threat hunting to provide the greatest chance of attack discovery. Threat hunting develops attack scenarios based upon reported or observed threat actor behaviors and validates those theories against SIEM databases, log files, and observed activities across ones computing systems and networks.

With threat hunting, security professionals look at their data sources not for standard alerts but with deeper reasoning and forensics. In some cases, the threat hunter’s substantiate alerts previously ignored or treated as false-positives.

What does this mean for an SMB?

Threat hunting is a tool that can improve your cybersecurity but it can be expensive. It is often reserved for highly mature organizations with a proliferation of Advanced Persistent Threats. If it’s not in your budget, a risk assessment is a great way to determine gaps in your cybersecurity program. Once you’ve determined your gaps, you can plan how to spend your finite time and money addressing them. CyberHoot recommended your risk assessment examine whether you’re doing the following best practices:

10 STEPS EVERY SMB SHOULD TAKE TO PROTECT THEMSELVES FROM CYBER ATTACKS:

Train employees on the cybersecurity best practices.
Phish test employees to keep them vigilant in their inboxes.
Govern staff with policies to guide behaviors and independent decision-making.
Adopt a Password Manager for all employees.
Enable two-factor authentication on all critical Internet-enabled services.
Regularly back up all your critical data using the 3-2-1 approach.
Implement the Principle of Least Privilege. Remove administrator rights from employee local Microsoft Windows workstations.
Implement email security including third-party SPAM protection, DNS security for Mail Exchange records (DMARC, DKIM, and SPF) all combined with external email banners to give employees a fighting chance.
Build a robust network at your firm that is properly segmented. Network segmentation is to computer networks what sealed ballasts are to Submarines. They enable damaged sections of a company or submarine to be completely isolated to prevent sinking of the whole network or submarine respectively.
Finally, for when the eventual breach does occur, buy enough Cyber Insurance to cover your recovery from a catastrophic breach event.