Today's threat landscape is larger than ever and the speed at which an adversary can exploit gaps in a security framework is becoming faster. Faced with this dangerous combination, organizations increasingly recognize the limitations of their more traditional reactive approaches to cybersecurity, that is, the threat hunting tactic. Typically, threat hunters will look for a suspected breach or malicious actors within their environment and attempt to mitigate the damage they may cause.
However, the very definition of threat hunting suggests that the organization has already been breached before any action is taken. And that is no longer enough. We need to shift businesses' mindset from mitigating ongoing threats to building a holistic overview of their environment that allows them to identify risk areas early.
New regulations, such as NIS2 and DORA, are specifically designed to make organizations more preventative and proactive in their approach to cybersecurity, with the aim of turning to this new form of risk hunting. Much more proactive in its methodology, risk hunting allows organizations to identify, evaluate and mitigate potential risks before they manifest into concrete threats. But how should companies best implement a risk search framework?
In which business areas should you look for risks?
As an industry, we currently lack a proper understanding of how threat actors think and therefore what constitutes risk within an organization. This is due to not anticipating the speed at which threats evolve, meaning that organizations are always defending against old attacks and not anticipating that evolution. NIS2, while helping to raise the metaphorical level of fundamental security, is not detailed enough to help organizations close those risk gaps on its own. Companies need to create teams that are specifically designed to act as threat actors would and test the limits of existing policies and frameworks.
In terms of its scope, risk hunting should not focus solely on locating digital vulnerabilities that can be hacked by external threats. It should be as comprehensive as possible: identifying how resilient the business could be if there is a DDOS attack or the Internet goes down, for example.
What is the best approach to risk hunting?
There are numerous risk hunting methodologies, including the use of advanced analytics, threat intelligence, and anomaly detection techniques. Intelligence-based risk hunting is the optimal way from my perspective. It is the process of leveraging threat intelligence to drive the search for risks. Unlike threat hunting, which uses indicators of compromise (IOC) and tactics, techniques and procedures (TTP) to determine where the risk may lie or where a given attacker will exploit a potential risk, risk hunting must use indicators of attack (IOA). ). These are patterns or behaviors that indicate an ongoing or imminent attack. These indicators help identify the TTPs used by threat actors during an attack.
There are many technologies available that help organizations map their environment and apply intelligence to identify weak points. Many companies are testing digital simulations of potential attacks, for example, to understand how their security framework would withstand attacks of different magnitudes. Security teams can then modify their policies based on that intelligence to better prepare them for an actual attack. Therefore, there is certainly no shortage of tools and information available to assist organizations in their search for risks. Where the gaps appear is in some of the skills needed to use the tools effectively and then apply them to an environment that is already very complex. There are very few people who have the inherent skill or knowledge to actually implement a risk-seeking approach and then understand what needs to be done to mitigate the hazards it identifies.
The best gear that fits the risk hunting profile is what we consider a “purple gear.” This would be made up of a combination of red and blue team members and their skills: red teams typically try to find vulnerabilities in an organization's framework, and blue teams help close gaps within the organization. Therefore, companies do not need to hire entirely new teams to conduct an effective audit, but rather bring together disparate teams with a combined skill set to look for internal risks together, from both a defensive and offensive perspective. These purple teams, backed by AI technologies, can ingest the right data and find the right meaning in it to make the necessary changes and evolutions.
Make risk hunting simple and feasible
Even with the right equipment and tools, security teams still face an uphill battle understanding the risk data they collect. The dark truth is that both CISOs and security professionals in general are ill-equipped to hunt down risks with disparate tools that produce overwhelming amounts of disaggregated data. This then needs to be compared and prioritized to identify common trends. The current process makes it nearly impossible to digest and generate actionable intelligence. Siled security tools and manual processes paint an incomplete picture of cyber risks and don't provide security teams with a meaningful way to remediate them.
In order to determine which data is relevant, CISOs must connect their multiple tools into a solution framework that can connect the dots and quantify organization-wide risk in a visual format. Data alone is not useful for a security team that has limited manpower and time: by using technologies like AI, teams can crunch the numbers and come up with a clear, actionable plan to present to the board.
For too long, businesses have reacted to the cyber dangers around them. This may be due to a lack of investment in security equipment or a lack of understanding of threat actors. With the arrival of NIS2 and DORA, security will move up the agenda, giving security professionals the stage to improve their security framework and drive greater investment. By looking for risks in gaps in the current framework and presenting it in a simple and practical way, security teams will be able to cut through the noise and impress upon senior management the steps that need to be taken to comply. But risk hunting shouldn't be limited to regulations. These types of audits should be part of an ongoing cycle for security teams to stay ahead of threat actors and ensure their security framework is fit for purpose at all times.
We list the best Zero Trust network access solutions.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
