With South Africa being a favoured target for cyber attackers globally, and with the threats growing in both volume and sophistication, local organisations must do more to mitigate against these attacks. In addition to increased automation in threat detection and response, and active threat hunting, carrying out cyber attacks on oneself in order to improve both internal skills and overall security posture is gaining in popularity.
Traditionally, organisations had focused on security information and events management (SIEM), which uses a variety of products and tools that combine both security information management and security event management. SIEM pulls together log files generated from firewalls and other services across a network, giving IT personnel the necessary information needed to respond and recover from a cyber threat, or to identify something that could potentially be a threat.
While this has served well in the past, much more is needed to tackle growing challenges such as ransomware that can stay dormant on your digital infrastructure for months before becoming active and encrypting an organisation’s data. Until then, the ransomware can behave like any other legitimate application and avoids detection; it is only when it tries to encrypt or manipulate data or engages in privilege escalation that it is seen as a threat by endpoint detection and response (EDR) tools. By that time, it might already be too late to fully mitigate the threat.
The first step to mitigating against such threats is to also make use of security orchestration, automation and response. This allows for increased automation when it comes to threat hunting, as organisations can look for patterns in data that is pulled from multiple repositories in order to identify and neutralise potential threats – and in a significantly shorter duration than had it been a manual process.
In essence, SIEM picks up that there is an issue, while the SOAR quickly takes action in resolving the issue, or even engages in active threat hunting.
Apart from EDR, which focuses only on the end-user devices, organisations are increasingly looking at network detection and response (NDR). While basic NDR functions can be carried out using firewalls, the process can be enhanced by using specialised tools such as Darktrace and ExtraHop. These tools closely monitor the network layer, as well as communication between devices and the network in order to identify threats at that level.
This includes identifying trends in the data usage of applications, which can help uncover hidden threats that might be lying dormant on a network. For example, if a file server has an average traffic of 1GB per day, discovering a huge increase in the data traffic can be a telltale sign of ransomware or malware being active on your system and sending data back to the threat actor before causing malicious damage to your data or network.
Being proactive about cybersecurity can be as simple as monitoring reports from email security tools that are designed to block emailed malware as well as phishing or even spear phishing attacks. While the tool might be doing its job successfully in protecting the network and users from attacks through this medium, taking a closer look at reports will help the security teams understand whether these events are sustained, suggesting that someone is actively targeting the organisation in order to gain unauthorised access.
Cybersecurity testing exercises
As part of efforts to sharpen their active threat hunting capabilities, organisations are carrying out cybersecurity testing exercises, using two or more internal teams, in order to uncover loopholes in their network or security systems and to improve the level of skill of their cybersecurity personnel.
Traditionally, these exercises involve red team and blue team engagements, where the red team are penetration testers or white hat hackers who look to exploit vulnerabilities within an organisation’s defences, including its network and endpoint devices, while a blue team comprises the people who are responsible for protecting its data and network, as well as active threat hunters.
However, these engagements now include a purple team, which sits on the fence, so to speak, and oversees these engagements. In addition, they will advise both sides on how to attack or defend better, and make sure that the best strategies are being used during these engagements in order to build skills and develop best practices.
These exercises also help test the readiness of both an organisation’s computer emergency response team (CERT), which includes IT professionals who handle all the incident response and mediation, as well as computer security incident response team (CSIRT), which is a cross-functional team within the business that brings together members from IT, senior leadership, legal, marketing and communications and others in order to formulate a comprehensive and holistic response to a cyber security incident.
Companies are also increasingly gamifying these security exercises in order to improve participation and engagement and provide a platform for continuous learning that ensures the organisation is better equipped to combat cyber threats. Depending on the size and nature of the business, these engagements can be carried out quarterly or even on a monthly basis.
In all, while active threat hunting has been around for a while, the practice has matured over the last few years to the point where it has come to the fore as a crucial cybersecurity defence mechanism for any organisation.
In a landscape of growing cyber threats, organisations need to be more proactive and need to address issues that are not normally classified as threats but are still suspicious in nature, with new metrics being continually added to the profiling to ensure that they stay ahead of the curve in adequately protecting themselves.