Moshe Ben-Simon, VP of Services & TrapX Labs.
With the severity and frequency of breaches increasing seemingly by the day, it is becoming clear that the Red Team, Blue Team approach followed by many organizations is insufficient to protect modern infrastructures.
However, in cyber warfare today, the ability to detect, respond, and mitigate the consequences of a successful cyber-attack requires a high degree of organizational maturity and adherence to specific models of operation. It also requires a dedicated focus on hunting adversaries already on the network. Considered an evolution of modern Security Operations Center (SOC) operations, many organizations recognize the need for a Hunt Team but are unsure how to introduce one or particularly how to integrate it with existing security operating procedures.
In considering how to implement a Hunt Team, the main question to be considered is whether the team is simply an upgrade to the current SOC or an independent unit that works in parallel to the existing security monitoring and controls in place. Further, the integration of active threat hunting into existing workflows should complement existing security efforts, rather than weaken or dilute them. This is because the main aim of the Hunt Team is to minimize the risk of business interruption and ideally stop the attack before data exfiltration or other damage can take place.
Hunt Teaming is uniquely positioned to support this aspiration because it is typically an analyst-driven approach that can address issues outside the scope offered by single alerts or indicators of compromise that can reveal. Because of this, additional benefits are typically observed. These include improved visibility of the threat landscape and the infrastructure, damage limitation and most importantly improving defense to make successful attacks more difficult.
There are nine requirements that underpin successful Hunt Teams and which support maturity in this endeavour:
- Organizational Recognition speaks to the notion that Hunt Teaming is an ongoing commitment with long and short term benefits that need executive-level sponsorship.
- Team Skills must be deep and diverse, including penetration testing, threat intelligence, network, and host forensics, risk modeling and analytics and incident response.
- Organizational Knowledge enables the team to intimately understand the organizational infrastructure and the accompanying risks and exposure to focus their attention and offer improved outcomes.
- Hunting Maturity Model (HMM) adherence is key. There are several available standards that can be chosen and customized to fit specific requirements based on risk analytics and exposure metrics.
- Correct Tooling offers the ability to support the HMM and log, network and host analysis. These can include disk and malware forensics, anomaly detection, deception platforms, threat intelligence management and log analysis for data modeling.
- Automation means that defenders do not have to start their search processes from scratch each time when hunting adversaries. This means that automation to underpin analysis and correlation for all the different behaviors observed will allow the Hunt Team to respond appropriately to high severity alerts.
- Threat Intelligence Sources are critical to mature threat hunting teams, and should ideally leverage commercial AND open source intelligence feeds to adequately cover business risks.
- Operations Management involves the deployment of a central system that can document Hunt Team activities that have handled the resolution of events and alerts. This provides a valuable knowledge base that can be leveraged across the organization.
- Red Teaming should be conducted on a bi-weekly or monthly basis, using combinations of static and dynamic attack scenarios. A good relationship between the Hunt and Red Teams means that static scenarios can be supplied by the Hunt Team and developed and executed by the Red Team.
These requirements can deliver mature hunt teaming capabilities to the progressive organization looking to augment their security controls and minimize the chance of a breach and mitigate the scale of the damage in the event of a compromise.
Remember, with GDPR just around the corner, the scale of the breach is going to be far more important than ever before. Hunt Teams directly contribute to minimizing such damage.
ABOUT STRATEGIC CYBER VENTURES
Cybersecurity is national security, and we're a D.C.-based venture capital firm on a mission to find cutting-edge startups that help us make an impact. We go beyond the check to help our founders win by leveraging our industry connections and experience as cybersecurity veterans to fuel their companies from inception to exit.
To learn more about our investment strategy and portfolio, explore www.scvgroup.com or connect with us on X @SCV_Cyber to be part of our mission in shaping the future of cybersecurity.