It’s an unprecedented time to be in the world of cyber defense. Malicious actors are becoming more aggressive both in scope and frequency. The public is asking why they need a new credit card every month. The President is saying the word “cyber” in his speeches. And new technologies, policies, and markets are being formed to combat what is quickly becoming a pandemic issue.
A big question looms in 2015: “Are we doing enough?”
Does anyone feel like 2014 was better for the “good guys” than 2013 was? We saw the headline-making breaches that you’re probably already sick of hearing about. We saw cyber capabilities toe the line between cyber terrorism and cyber war, and we saw the increase in surface area through attacks on mobile, OS X, automobiles, and medical devices. Given all that, it may be tough to argue that 2014 was a good year for the “good guys.”
So, now, let’s ask the most important question: “What can we do about all of this in 2015?”
It’s certainly going to take more than this blog post to secure our environments and data but there is one mindset shift, though, that I would like you to consider: moving from “threat hunting” to “risk hunting.”
“Threat hunting” was a relatively popular term in 2014. Teams have shifted from the firefighter mentality (mostly on call until it’s time to spring into action) to the police officer mentality (on-call but also on the beat, looking for problems and unusual activity.) Or, at the very least, they’re waking up to the fact that they should be shifting toward hunting. This is a great thing. We have to assume compromise, we have to be scouring our systems all the time finding that malicious actor or that piece of malware that just hasn’t been detected by our systems. But let’s not stop there.
It’s time to move to “risk hunting.” You might be saying, what’s the difference? Well, to some, maybe there is no difference. But I’d recommend that you start looking for activity, events, behaviors, and configurations that create risk for your business. Threats (or the indication of threats) could be a subset of this, but we need to start being detectives who search for indicators of risk versus indicators of compromise (or indicators of attack). Indicators of risk still contain things like network connections to a command-and-control site or a known-bad binary executing on your endpoint. These items are concrete risks to your business. But let’s go beyond that. Let’s look for those poor Web-surfing habits, those misconfigurations on your access control lists, and the holes in the network segmentation. None of these would really represent indicators of compromise, but they are indicators of risk.
It’s time to embrace the role of fire marshal. We still need to respond quickly when the alarm sounds. We still need to be the police officer who is out on the beat looking for crimes and getting to know the neighborhood. And we also need to be predicting what designs and activities will create unsafe environments and lead to incidents.
We also need to harden our systems, segment our networks, reduce access, create audit trails, and then still have security teams hunting for risks and activities that are increasing the probability of loss.
Finally, continuous iteration and improvement—found virtually everywhere in the software world these days—should be incorporated in this notion of risk hunting. Go out, hunt risk, find what needs to be addressed, and repeat.
Never be satisfied with your defensive posture. The bad guys are still out there in force, and are very few of them are being prosecuted. It’s up to us to change the economics so that for the majority, cyber crime will not pay.
Here’s to hoping that at the end of 2015 we can actually say: “Wow, this year was better for the defenders, the “good guys.”