Risk hunting: A proactive approach to cyber threats

Cybersecurity is an overly reactive industry. Too often we act like firefighters, rushing from blaze to blaze, extinguishing flames hoping to keep the damage to a minimum, rather than fire suppression experts designing environments that refuse to burn.

risk hunting

Just consider the litany of “detect and respond” technologies advanced by analysts and enthusiastically purchased by enterprises over the past decade. A recap:

  • 2013 – Gartner coins the term Endpoint Detection and Response (EDR)
  • 2016 – Managed Detection and Response (MDR) comes into use to emphasize the offloading of management responsibilities
  • 2018 – Extended Detection and Response (XDR) is introduced to convey the gathering of intel from multiple sources including EDR, NDR, SIEM 3.0, abstraction layer over SIEM, SOAR 2.0, as well as additional resources.
  • 2019 – Network Detection and Response (NDR), which combined detection capabilities with incident response workflows.

Today, there is talk of MDR, mXDR, ITDR…there is no shortage of reactive capabilities security teams are looking to institute. But I would submit that we have swung too far in this direction at the expense of more proactive risk hunting. We can’t rely solely on our SOCs to save us from cyber threats.

As evidence, take the excellent research CrowdStrike conducts on adversary breakout times – the period it takes to act after an initial breach. On average, cybercriminals break out in 62 minutes. In 2023, the company observed a record breakout time of 2 minutes, 7 seconds. The average SOC simply cannot keep up with these speeds.

risk hunting

It’s a myth that attackers must only succeed once. They must be successful at every stage of the attack chain.

The bulk of our cybersecurity investment appears focused on intrusions that have already happened and which we are utterly ill-equipped to keep up with.

Taking back the initiative

A more proactive approach entails sizing up your environment against known adversary tactics, techniques, and procedures (TTPs). Thankfully, the MITRE ATT&CK framework provides excellent scaffolding from which to mount such efforts.

Consider living off trusted site (LOTS) attacks. MITRE tells us cybercriminals are exfiltrating data via trusted sites like GitHub and OneDrive. Cybercriminals today rely less on malware and more on compromised credentials to conduct espionage, locate company crown jewels, or exfiltrate sensitive data. As the saying goes, “Attackers don’t hack in. They log in.”

Defenders should be focused on reducing attack surface, guarding against initial compromise, preventing lateral movement, and stopping the exfiltration of sensitive data.

Crucially, this depends on understanding your adversary and their motivations. State-backed actors concerned with intellectual property theft will have the wherewithal to bide their time until exfiltrating strategically relevant data. Financially motivated cybercriminals may feel more pressure to prove their efforts can pay off monetarily. Idealistically motivated actors may, on the other hand, be more likely to pursue DDoS attacks to inflict maximum downtime.

Who would have the most interest in your organization? Your defense strategy should reflect the answer. More patient adversaries require more patient defense.

risk hunting

Defense in depth should be made up of a variety of threat protection techniques.

To adopt a more proactive approach to cybersecurity, consider:

  • Deception/negative trust – Employing honeypots and lures to catch attackers in search of crown jewels is a straightforward way of catching actors unfamiliar with your environment.
  • Risk management – Using AI to tell you where your environment may be exposed based on exposed attack surface, misconfiguration, and common TTPs used to exploit environments similar to your own.
  • Inline sandboxing – A common procedure in cybersecurity, detonating a suspicious file in a controlled and isolated environment is a classically proactive approach to cybersecurity.
  • Browser isolation – Eliminate the endpoint’s browser attack surface exposure by placing it in a sandbox of its own. Disable copy/paste functionality, prevent drive-by-downloads, and other browser-based attacks by simulating internet access in a virtual environment.
  • Enabling zero-trust network access – Each resource request is a new opportunity to proactively probe a user, workload, or device for authentication and authorization, i.e., active methods of verifying that an entity has both verified their identity and has been okayed to access a resource.

Apart from these tactical initiatives to elevate your proactivity in terms of risk hunting, I recommend the following more strategic concerns:

  • Objective-based proactive defense – Begin with an outcome you would like to achieve. This could entail patching any vulnerability that’s been exploited in the wild or reducing your attack surface—assets exposed to the internet—by x percentage.
  • Adopt an attacker’s mindset – Recall the last story you’ve heard recounting a breach. It could be from a professional colleague or one from the headlines. Could you pull off the same in your own environment? If not, what would prevent an adversary from achieving success? If so, how could the source of your risk be addressed?
  • Breach attack simulation – Breach attack simulation (BAS) solutions are a good way to discover gaps in the attack chain so you can mitigate them prior to an actual incident. There are several open-source and proprietary options for organizations looking for more realistic simulations than tabletop exercises and that can add to existing penetration testing efforts.

This is not to suggest that there is no place for more reactive tactics like EDR or vulnerability management. Merely that we have become overly obsessed with our reactive capabilities at the expense of a healthy balance between responding to alerts and proactively addressing areas of risk.

Happy hunting!

Don't miss