Threat Hunting: Is Your Security Operation Ready to Launch Such a Program?

Threat Hunting: Is Your Security Operation Ready to Launch Such a Program?

As published in the November/December edition of InfoSecurity Professional Magazine.


It could be a blended attack as slick as a multichannel marketing campaign. Or a spontaneous crime of opportunity by a single dis-gruntled employee. It could even be an innocent configuration error. When a threat exists, there will be indicators. The perennial challenge is to hunt for signs in the right places and to isolate the signal from the noise. How best to find—and remove, where possible—such threats remains up for debate. 


Lance Cottrell, chief scientist at Ntrepid, approaches threat hunting less as a specific set of techniques than as a set of high-level goals. “From the 50,000-foot view, we’re trying to understand the threat landscape,” he says. “Writ large, you are trying to figure out what the things are that are coming after you.”


The breadth of that mandate can make it difficult to define a threat hunting practice, or even to draw bright lines around where it borders with other security measures. For example, a specific threat identified through threat hunting may be investigated using existing general processes for incident analysis.


SEASONING THE ATTACK SURFACE


"Threat hunting relies on both active and passive measures. Honeypot machines that no other system will ever legitimately connect to can be set up inside the firewall. This inward-looking measure can provide 100% confidence that every connection attempt is nefarious.


Another pre-positioning measure is salting production databases with false data to mark provena ..

Support the originator by clicking the read the rest link below.