Cyber Threat Hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise which is a total contrast to typical cyber defense where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) make contact and informs one of the situations. Threat hunting is very appealing because it gives the sense of being active and not sitting idle.
However, since there is no such thing as a silver bullet when it comes to cybersecurity controls, it is necessary to evaluate how effective threat hunting will be at each institution. Items like the information security budget, maturity of current cybersecurity controls, threats and risks all will play a part in analyzing the potential effectiveness of threat hunting and in determining if the cybersecurity posture of an institution is mature enough to benefit from threat hunting.
Here are some fictional example institutions that can provide examples where threat hunting can be effective and then not effective.
Fairly large at just over one billion dollars in assets, A-Bank also is a fairly new bank, being founded only fifteen years ago. From the beginning, A-Bank has worked to implement foundational cybersecurity controls into all aspects of their operations. They have followed guidance such as the Center for Internet Security's Top 20 Controls[i] and other guidance such as the NSA's Top Ten Cybersecurity Mitigation Strategies[ii]. A-Bank has implemented a vulnerability management program including utilizing a vulnerability scanner weekly, active mitigation of identified vulnerabilities, and proactively patching systems identified to be missing patches. Additionally, A-Bank has segmented its internal network into zones with access control lists in place to allow only authorized movement between zones. This has been enhanced by not allowing any network communication between workstations and other end-user devices, effectively preventing or significantly hindering lateral movement by an attacker. A-Bank has also eliminated password re-use through their bank. Each system has unique passwords for any local accounts. Service accounts also utilize unique passwords. These are all managed by a Privileged Access Management system. A final foundational control A-Bank has implemented is the implementation of a program to centralize all server, firewall, DNS, DHCP, and other logs. These logs are archived long-term. Alerts are also configured to identify basic suspicious activity and reports are reviewed daily by the information technology team.
Established in 1906, B-Bank has an asset size of roughly $430 million dollars. They first got into technology with one workstation over thirty years ago and their technology footprint and network have grown organically since. B-Bank has a limited information technology budget and also is conservative when it comes to financial and technical risk. They do not currently offer service like mobile check capture, merchant remote deposit, and wire or ACH services via Internet banking. While B-Bank has a lower overall risk than A-Bank, they have not implemented many of the foundational controls that A-Bank has. B-Bank has a patch management program where they apply Microsoft and a few other patches. Additionally, B-Bank is running virus and malware protection program on all systems.
Threat Hunting Effectiveness
Threat hunting would be beneficial at both banks. However, due to the limited information technology budget, and lack of foundational cybersecurity controls, B-Bank would see the greatest impact in their cybersecurity posture by spending their time and money implementing some of the controls outlined in the Top 20 Security Controls by the Center for Internet Security, or the NSA Top 10 Cybersecurity Mitigation Strategies. A-Bank already has a mature cybersecurity posture and is well-positioned to deploy threat hunting teams in their network.
Periodically new cybersecurity controls become available. Be careful not to implement a control just because the technology or practice is the latest cool thing. Evaluation of the control is an important part of any new cybersecurity acquisition and if properly done will ensure the greatest return on the investments of time and money.