The three essentials of threat hunting

By Recorded Future

Gavin Reid, Chief Security Officer of Recorded Future, shares how governments can take a proactive approach to security.

Security teams today are caught up in a game of cat-and-mouse. Attackers are growing increasingly agile and able to maneuver through the most extensive of traps and detections. Analysts are left chasing after their trails.

Miscreant techniques are growing in scale and complexity. Organisations need a proactive approach of threat hunting to detect and stop malicious actors in their tracks, says Gavin Reid, Chief Security Officer of Recorded Future.

He discusses three essentials of threat hunting for analysts to stay ahead of the game.
 

1. Understand your network and the ‘crown jewels’


Organisations now have on-premise systems and multiple cloud platforms, and data is stored across different systems and softwares. Analysts need a really good understanding of what's on the network and how data flows in and out of it, says Reid.

This understanding needs to be based on “testing and audit, not just what people think about something”, he adds. This complete picture would help organisations understand all the connections, chokepoints, and threats facing a network.

Once organisations have a good understanding of what's part of their environment, they need to know what needs to be protected, says Reid. Security analysts must be aware of where the “crown jewels” are stored. They can then ensure access is logged and implement multi factor authentication, he adds.
 

2. Integrate data from a variety of sources


Security teams need timely, well-researched information about their threat landscape, says Reid. Accurate information about hacker tools, techniques and infrastructure are essential to enable better investigations, detections, and mitigations.

Recorded Future’s research team, Insikt, acts as the eyes and ears of organisations. It looks at the criminal underground, discord channels, and other unique sources to pick up data on new attack techniques. This alerts security teams to threats most relevant to their organisation, allowing them to stay one step ahead.

A US-based internet service provider EchoStar used to take about half an hour to research a single event manually, says Reid. With hundreds of alerts everyday, this process was “unsustainable”.

Recorded Future started enriching their alerts with contextual data, he adds. The EchoStar team was able to reduce research time to just about eight minutes per event, and also improved the accuracy and the precision of investigations.
 

3. Arm your analysts with updated playbooks


There’s a lot of data out there, and many different attack types and infrastructures that hackers use, Reid says. It’s nearly impossible for analysts to “innately know” what’s a threat to the organisation and what’s not, he adds.

Large organisations, in particular, must ensure that all analysts have the same ability to respond to threats. “It doesn't really matter who is there in the seat. Everyone's going to have the same capabilities and resources at their fingertips,” he says.

Playbooks can help to provide analysts with a set of best practices and strategies to ensure consistency, says Reid. These playbooks need to be updated with the latest miscreant techniques so they’re not static.

“A really great security team keeps up to date with what the threat actors are doing and continuously evolves their playbook with new techniques, new hacker tools, new hacker infrastructure,” says Reid.

As technology leapfrogs, the game of cat-and-mouse will only grow more intense. Security teams must stand their guard and keep watch for changing hacker techniques.