As we’ve said time and time again, when it comes to protecting corporate cybersecurity, companies must not limit themselves to acting when cyberattacks happen; they need to act long before they even pose a threat. What’s more, they need to act proactively, not confining themselves to preventing known threats, but instead studying new the new tactics that cybercriminals intend to use to endanger the company’s security.
This is why Threat Hunting is gaining a reputation as a way to protect a company’s cybersecurity, since companies must work on their defenses long before they are needed, and retrain the way they detect possible threats.
The light and shade of Threat Hunting
However, it is one thing to be sure of the need to turn to Threat Hunting, but quite another to do it efficiently. This bipolarity is noted in the report, 2018 Threat Hunting Survey, recently launched by SANS, and which reflects the fact that companies have been adopting this trend in recent years.
More precisely, 43% of the companies surveyed and analyzed continually carry out operations of this kind within their cyberrisk prevention tactics, while 65% predict a greater investment in these kinds of tools in the next two years.
The study confirms the extent to which cybercrime has reinvented itself in the last few years: when companies came across new threats that could have resulted in cyberattacks, 49% saw that the vast majority of these threats were previously unknown.
The response to hackers and insiders
The key to Threat Hunting lies in its proactivity, since it acts proactively and iteratively in order to locate new threats, design possible responses, and this way, neutralize them and keep them from circumventing a company’s cybersecurity.
However, not all companies work along the same lines. According to the SANS report, 37.3% of companies act reactively when the threat has already got in, is already visible, or when the company already has a suspicion about this particular threat. What’s more, the report reveals that there are two categories of companies that use Threat Hunting more frequently. The second of these categories is companies that have previously experienced an attack that has obliged them to reinforce their fight against cybercrime.
In any case, when it comes to approaching Threat Hunting, the report states that 90.3% of the companies consulted use standard tools, although there is a growing number of companies that are working with customizable tools (61.9%) or that use technological solutions provided by expert cybersecurity companies (32.5%). In this sense, Panda Security’s cybersecurity experts are constantly perfecting the machine learning system, enabling the Threat Hunting and Investigation service included with Panda Adaptive Defense to warn of anomalous activities and behaviors from users, applications, and devices. As a result of this monitoring, we are able to discover new threats that may appear, and design responses to stop it even from getting through the doors of the company’s IT security.
Human actions are fundamental
There is another factor that is vital in anticipating these kinds of attacks: human actions. The Threat Hunting and Investigation service aims to detect possible threats that, because they are so new, are able to evade current cybersecurity solutions. But this novelty factor has an element that must be taken into account: the Threat Hunter.
The SANS report stresses the fact that these types of actions “are driven by people, and as such tools must complement those efforts instead of seeking to replace them. Threat hunting cannot be completely automatized, but rather automatization must significantly increase the effectiveness of the threat hunters.” Panda Security’s Threat Hunters identify and validate known and unknown malware and malwareless attacks in real time.
What’s more, anomalous behaviors in an IT system needn’t pose a threat. A simple example: an e-shopping website may face a much higher volume of operations at certain times of year. This means that the Threat Hunter’s job also involves applying common sense to know if the exponential increase in processes is due to a possible threat or, on the contrary, if it is a normal increase in traffic and volume of operations that may be seen, for example, around Christmas.
Hence, the job of the Threat Hunters is to make use of technology to monitor and analyze system activity, detect anomalous behavior, and thoroughly check whether this anomaly entails a real risk, or whether it is a false positive. Panda Security’s aim is for our solutions to be able to automatically classify 99.98% of threats, leaving just 0.02% of them to our analysts. This way we can focus on the really dangerous attacks.
When it comes to protecting a company’s corporate cybersecurity, no effort is too great. In the fight against cybercrime, the best solution is human action, technological solutions, prevention, and a proactive search for possible threats.