Most experts agree that it’s not a matter of if you will be breached, it’s a matter of when. In fact, the odds are that several people that read this blog have an attacker lurking in their network right now without even realizing it. But that’s not the only problem. Perimeter and antivirus defenses usually can’t detect fileless attacks – a rapidly rising network threat. So what’s an organization to do? If you do not already have a threat hunting plan, it’s time to develop one or explore new managed threat hunting services.
What is proactive threat hunting?
In simple terms, proactive threat hunting is the regular or continuous process of looking for abnormal activity and signs of intrusion BEFORE you have evidence of compromise. It is an inherently manual process that relies on the knowledge and expertise of the threat hunter, as well as an effective toolkit. Threat hunting requires highly skilled, experienced cybersecurity professionals that relentlessly look for small changes and then keep following that thread until they find the root cause.
With a properly segmented network, it can take a while for your attacker to successfully expand their privileges, move laterally, and get so deep in your network that they have access to your most sensitive information. Proactive threat hunting is your best chance to find and stop a hacker before they steal a massive amount of data or launch damaging ransomware. For industries that have compliance requirements, proactive threat hunting delivers the added bonus of potentially stopping a breach before the attacker accesses protected data that can result in damaging fines and violations.
What is a “fileless attack”?
Fileless aka non-malware, zero-footprint or macro attacks, bypass traditional antivirus and perimeter defenses by leveraging existing applications or loopholes in common protocols. By exploiting trusted software, they are already whitelisted. In addition, fileless attacks do not download a malicious file, so this attack slips by antivirus software. Most fileless attacks enter the network when a user clicks on an infected link, or enables an infected macro that automatically initiates a sequence of actions when the user opens the target program. While these types of attacks bypass your perimeter defenses, they do leave small traces of their presence, if you know where to look.
Why is proactive threat hunting important?
Let’s look at some sobering facts:
- The average time an attacker lurks in your network before discovery is almost 200 days
- Identifying a breach in less than 30 days reduces the average breach costs by $1 million
- 40% of organizations do not participate in any regular threat hunting, according to a SANS Institute survey
- Most of the organizations proactively threat hunting are enterprise organizations
- 58 percent of SMBs experienced a data breach in the year prior to the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses (SMBs) survey
- 74% of SMBs surveyed said they do not have the personnel to effectively address cyber risks
It’s clear that attackers are targeting both enterprise organizations and SMBs – no one is immune anymore. However, SMBs will be hit much harder by today’s rising attacks because a staggering three quarters of SMBs lack the personnel to effectively address cyber risks.
The sooner you detect an intrusion, the more effectively you can limit damage and reduce breach remediation costs. Threat hunting is one of the best ways to find breaches, especially from fileless attacks that were not caught by your perimeter or antivirus defenses. Organizations can no longer afford NOT to have a proactive threat hunting plan.
Should you keep threat hunting in-house or is managed threat hunting right for your organization?
The days when you could build a strong security posture based on automated security programs are over. As hackers continuously innovate, a strong security posture requires integrating many different security strategies. Proactive threat hunting should be part of your strategy. As you evaluate how to build or increase the frequency of your proactive threat hunting program, you should consider these four key questions:
- Do I have experienced threat hunting skills in-house?
- Does my existing team have the bandwidth for regular threat hunting activities?
- How will my team stay current on the latest threat hunting techniques?
- Do we have the time and budget to purchase and train our team on the latest threat hunting tools?
If you don’t have the ability to meet all four criteria, managed threat hunting may be the best choice for your organization. Managed threat hunting outsources regular threat hunting activities to experienced teams that stay current with the latest threat hunting techniques.
A skilled team not only understands the most effective threat hunting techniques, but has the expertise that is crucial for success. Faster identification of compromise can actually save you a million dollars. With the high demand and tight supply for experienced cybersecurity professionals, many organizations find that contracting managed threat hunting services is less expensive than hiring experienced, full-time staff, providing they can even find the right people.
Combine these challenges with the expense of purchasing threat hunting tools, as well as providing initial and continuous training on threat hunting techniques, keeping proactive threat hunting services in-house can frequently be more expensive for SMBs than using a managed threat hunting service.
Whether you decide to engage in regular, proactive threat hunting in-house or use a managed threat hunting service, threat hunting is a crucial part of maintaining a strong security posture.
If you don’t have the time or the resources for proactive threat hunting in-house, try our managed threat hunting service.