Zero Trust

Risk Hunting: A Proactive Approach to Cyber Threats

Oct 30, 2024
Risk Hunting: A Proactive Approach to Cyber Threats Risk Hunting: A Proactive Approach to Cyber Threats

Editor's note: A version of this article recently appeared in Help Net Security. 

 

“We can only see a short distance ahead, but we can see plenty there that needs to be done.”
–Alan Turing

Burning problems require cool solutions

Cybersecurity today is an overly reactive industry. Too often we act like firefighters, rushing from blaze to blaze extinguishing flames hoping to keep the damage to a minimum, rather than fire suppression experts designing environments that refuse to burn.

Just consider the litany of Detect & Respond technologies advanced by analysts and enthusiastically purchased by enterprises over the past decade. A recap: 

  • 2013 - Gartner coins the term Endpoint Detection and Response (EDR)
  • 2016 - Managed Detection and Response (MDR) comes into use to emphasize the offloading of management responsibilities
  • 2018 - Extended Detection and Response (XDR) is introduced to convey the gathering of intel from multiple sources including EDR, NDR, SIEM 3.0, abstraction layer over SIEM, SOAR 2.0, as well as additional resources.
  • 2019 - Network Detection and Response (NDR) which combined detection capabilities with incident response workflows.

Today, there is talk of MDR, mXDR, ITDR…there is no shortage of reactive capabilities security teams are looking to institute. But I would submit we have swung too far in this direction at the expense of more proactive risk hunting. We can’t rely solely on our SOCs to save us from cyber threats. 

As evidence, take the excellent research CrowdStrike conducts on adversary breakout times – the period it takes to act after an initial breach. On average, cybercriminals breakout in 62 minutes. In 2023, the company observed a record breakout time of 2 minutes, 7 seconds. The average SOC simply cannot keep up with these speeds. 

Cyber attack chain timeline
It’s a myth that attackers must only succeed once. They must be successful at every stage of the attack chain. 

That means that, despite an estimated $219 billion spent on cybersecurity globally in 2023, the bulk of our investment appears focused on intrusions that have already happened and which we are utterly ill-equipped to keep up with. 

Taking back the initiative

A more proactive approach entails sizing up your environment against known adversary tactics, techniques, and procedures (TTPs). Thankfully, the MITRE ATT&CK® framework provides excellent scaffolding from which to begin such efforts. 

Consider living off trusted site (LOTS) attacks. MITRE tells us cybercriminals are exfiltrating data via trusted sites like GitHub and OneDrive. Cybercriminals today rely less on malware and more on compromised credentials to conduct espionage, locate company crown jewels, or exfiltrate sensitive data. As the saying goes, "Attackers don't hack in. They log in." 

Instead, defenders should be focused on reducing attack surface, guarding against initial compromise, preventing lateral movement, and stopping the exfiltration of sensitive data. 

Crucially, this depends on understanding your adversary and their motivations. State-backed actors concerned with intellectual property theft will have the wherewithal to bide their time until exfiltrating strategically relevant data. Financially motivated cybercriminals may feel more pressure to prove their efforts can pay off monetarily. Idealistically-motivated actors may, on the other hand, be more likely to pursue distributed denial of service (DDoS) attacks to inflict maximum downtime. 

Who would have the most interest in your organization? Your defense strategy should reflect the answer. More patient adversaries require more patient defense. 

Defense in depth diagram
Defense in depth should be made up of a variety of threat protection techniques.

 

To adopt a more proactive approach to cybersecurity, consider:

  • Deception/negative trust – Employing honeypots and lures to catch attackers in search of crown jewels they might extort for financial or strategic leverage is a straightforward way of catching actors unfamiliar with your environment. 
  • Risk management  – Using AI to tell you where your environment may be exposed based on exposed attack surface, misconfiguration, and common TTPs used to exploit environments similar to your own.  
  • Inline sandboxing – A common procedure in cybersecurity, detonating a suspicious file in a controlled and isolated environment is a classically proactive approach to cybersecurity. 
  • Browser isolation – Eliminate the endpoint’s browser attack surface exposure by placing it in a sandbox of its own. Disable copy/paste functionality, prevent drive-by-downloads, and other browser-based attacks by simulating internet access in a virtual environment. 
  • Enabling zero trust network access – Each resource request is a new opportunity to proactively probe a user, workload, or device for authentication and authorization, i.e. active methods of verifying that an entity has both verified their identity and has been okayed to access a resource.

Apart from these tactical initiative to elevate your proactivity in terms of risk hunting, I recommend the following more strategic concerns:

  • Objective-based proactive defense – Begin with an outcome you would like to achieve. This could entail patching any vulnerability that's been exploited in the wild, or reducing your attack surface—assets exposed to the internet—by x percentage.
  • Adopt an attacker’s mindset – Recall the last story you've heard recounting a breach. It could be from a professional colleague or one from the headlines. Could you pull off the same in your own environment? If not, what would prevent an adversary from achieving success? If so, how could the source of your risk be addressed?
  • Breach attack simulation – Breach attack simulation (BAS) solutions are a good way to discover gaps in the attack chain so you can mitigate them prior to an actual incident. There are a number of open-source and proprietary options for organizations looking for more realistic simulations than tabletop exercises and that can add to existing penetration testing efforts.

This is not to suggest that there is no place for more reactive tactics like EDR or vulnerability management. Merely that we have become overly obsessed with our reactive capabilities at the expense of a healthy balance between responding to alerts and proactively addressing areas of risk.

One thing we know: risk is all around us. Happy hunting. 

What to read next

Why your SOC won’t save you

Unveiling the dark arts of exploiting trust