Actively Protecting Your Network with Threat Hunting
Increased exposure in the media and changes to regulation and breach reporting (including MiFID II) have put organizational security in the spotlight and increased the risk to reputation if an organization can’t deal with a breach.
This will fundamentally change the focus of security from a passive protection and detection techniques to actively seeking out vulnerabilities and attackers in the network.
This process is known as Threat Hunting.
What is Threat Hunting?
Threat Hunting puts a dedicated focus on identifying and counteracting attackers or breaches inside your network (these could be caused by Zero Day Threats or Advanced Persistent Threats) and deploying countermeasures.
Effective Threat Hunting is built on a good hypothesis about threats your organization is vulnerable to, where those vulnerabilities are, and how attackers can take advantage of users or business processes to infiltrate your network.
To be considered a threat an attacker must possess three traits: the intent, capability and opportunity to do harm.
Being aware of these threats and having the resources to hunt them will limit the damage caused if you’re infiltrated and help you protect your network from a serious breach.
Threat Hunting as Active Defense
Sometimes the best defense is offense and an effective offense needs to be data driven to capture an image of what’s normal and what’s not on your network.
That data needs to be analyzed and turned into intelligence, which can inform your threat hunter and your response strategies. Without comprehensive data, you’re effectively searching in the dark.
Recorded Network History
To Threat Hunt effectively, you need compelling and conclusive evidence of breaches and vulnerabilities.
The only way to get this evidence is with 100% accurate Recorded Network History. Recorded Network History captures traffic that passes through your network down to the packet level (whereas NetFlow, for example, only captures metadata and doesn’t allow you to drill down into the event itself) with nanosecond precision to give you a full view of what’s happening on your network.
Packet capture from an EndaceProbe™ Analytics Platform strengthens threat hunting through:
- Providing conclusive evidence of what happened and when it happened
- Giving you the information you need to develop a strategy or plan of attack
- Allows you to see variations on your network down to the nanosecond, so you can spot patterns from an Advanced Persistent Threat
- False positives
- Obscures real data
- Set traps that are realistic enough to trap attackers but be mindful of your own team
- If there’s an attacker in your network, they may be able to hunt you within your own network
- Threat hunting should be operational and not ad hoc
- Optimize the tools you have at your disposal before adding more.
Critical to a strong defense is maintaining your infrastructure. If your infrastructure isn’t maintained, and is full of vulnerabilities that aren’t spotted by passive defenses, it’s easier to exploit your network and it creates challenges for your threat hunter.
Optimise your Threat Hunting
Threat hunting often occurs at many levels of an organization and is ad hoc or is based, to an extent, on the gut-feeling of analysts that are familiar with the network.
To optimize Threat Hunting this ad hoc nature needs to be brought into an organizational approach, in order to maximize the value of the process. This unified approach needs to see investments in security infrastructure and threat hunting tools (such as an EndaceFabric™) supported by buy-in from decision makers and organizational processes. It’s critical that threat hunting is understood and supported from the top down in order for it to continuously add value to an organization.
Once threat hunters identify the assets and information most vital to an organization and its mission, they can deploy passive defenses and hardening techniques to reduce risk and reinforce the proactive defense techniques.
Optimize your threat hunting with these simple rules of thumb:
Threat hunting shouldn’t be treated as a single state but as a progression. Optimizing your data collection process – using EndaceProbe™ Analytics Platform – and introducing automation and machine learning to replace repeatable tasks will allow threat hunters to focus on prioritized data and analysis.
Threat hunters need to be able to pivot from individual pieces of data into links and correlations that will reveal the threat. If the captured data is 100% accurate and tells the full story hunters are able to use EndaceVision™ and Playback™ to examine the data and have a complete view of what’s happening on your network.
The Fusion Partner Program brings together solutions from leading security and performance analytics vendors who leverage the EndaceProbe's Application Dock hosting and workflow API to integrate Network History into their applications.
Yes I'd Like a Demo
How about a Demo?
Integrating Network History into your security and performance monitoring tools gives you definitive evidence at your fingertips.
Find out just how fast and accurate your investigations could be.