Threat Hunting vs Reactive Security: Why Proactivity Matters

As companies evolve and grow larger, so do their technology and networks. Although this is an expected business growth effect, an extensive network requires dedicated attack surface management.

Companies must implement multiple layers of protection to secure devices, data, networks, and people. In addition to the massive scaling of business networks, malicious actors are continuously developing more sophisticated cyber attacks to try and find exploitable vulnerabilities and penetrate an organization's network defenses.

Battling both Common Vulnerabilities and Exposures (CVE) and unknown cyber threats is impossible to achieve via a reactive security approach alone. It might be enough for common, known threats but will leave your network vulnerable to various advanced threats - zero-day vulnerabilities, advanced persistent threats (APTs), and sophisticated attack vectors. This is why combining reactive security with a proactive approach is best.

Below, we will explore reactive and proactive security, how they work, their implementations, and the best practices to employ from both approaches.

Reactive security uses cybersecurity tools and best practices to build robust defenses against common attack approaches and cyber threats. It also enables detecting malicious activity when ill-intended third parties penetrate your network defenses and gain unauthorized access to your system.

The most common reactive security features include firewalls, antivirus, and spam filters, realistic vulnerability assessment, and a disaster recovery plan.

Reactive security is best used to deal with more traditional cyber attacks. It relies on intrusion detection systems and indicators of compromise (IoCs) to pinpoint malicious activity, taking action after the fact. As attackers usually take more time to damage a system than the incident response to kick in, reactive security helps prevent negative impact from known viruses and malware. Even if a security incident occurs, you can detect and counter the attackers.

Even if reactive security is worse equipped to tackle sophisticated threats than proactive security, companies should still implement sensible reactive security practices to optimize their cybersecurity strategy. Let's explore some of the most common and effective approaches to reactive security below.

A Disaster Recovery Plan (DRP) outlines the steps organizations must take following a cyber attack. It comprises all policies, procedures, and tools to help a business recover after a cyber attack, natural disaster, or data breach. Adequate DRP should include identifying and classifying critical and sensitive data assets, an inventory of all company resources, general and cybersecurity crime insurance, authorized key personnel to assist in a DR scenario, emergency response actions, media and legal response plan, and more.

Even if threat actors penetrate the company network security and cause a severe data breach, a robust disaster recovery plan will minimize the damage, avoid any panic, help resume normal operations quickly, and, ultimately, ensure an optimized revenue flow.

Vulnerability assessment (or vulnerability analysis) is a systematic approach used to detect, evaluate, prioritize, and propose mitigation and remediation of security vulnerabilities on a target network or system. Vulnerability assessment's primary focus is to review all security weaknesses in a company's IT system.

The approach typically comprises four primary steps:

• Security testing

Used to discover all vulnerabilities in a target application, server, or an entire system.

• Vulnerability analysis

Used to determine the root cause(s) for existing vulnerabilities.

• Risk assessment

Used to categorize and prioritize security flaws based on data sensitivity and systems affected, attack potential, and the potential damage associated with a successful attack.

• Remediation

Used to outline proper steps and mitigation practices to implement in a specific order to remediate security gaps.

Vulnerability assessment is a complex methodology comprising many processes. Some can be considered reactive, while others - proactive. However, as all VA tactics focus primarily on existing vulnerabilities, they are perceived as reactive security measures.

Security incidents can quickly escalate to a full-blown data breach if mishandled. Such a breach may cause a collapse of operations and ranging financial losses. Incident response focuses on policies and procedures to address and mitigate a cyber attack and its potential aftermath.

A robust IR plan typically comprises six stages:

• Preparation

An efficient IR plan outlines the steps companies need to take in advance to counter disruptive events. IR planning begins with a proper data breach mitigation plan.

In the preparation phase, organizations should align data protection policies with cybersecurity goals and IT infrastructure defenses. You must ensure that all company employees are aware of the required IR training; you should also perform a comprehensive system audit to ensure sensitive data is adequately secured.

• Malicious activity identification, detection, and response

After preparation, your company should create a reliable vulnerability identification process to detect when systems have been compromised. If you can detect a security breach early enough, you will be better equipped to mitigate the attack. Even if you can't mitigate cyber threats completely, you'd be able to expedite the detection and response process to minimize damage and save time and money.

When analyzing a security incident, you should focus on who discovered the breach, its extent, how it affects your operations, and the source (root cause) for the compromise.

• Containment and mitigation

Containment relates to the steps your company takes to mitigate the damage after a breach. Depending on the incident scenario, you may need to isolate compromised endpoints or data or remove a malicious actor from your systems. During the containment phase, you should be able to determine whether to keep a system online or delete it; also, you should know the potential immediate steps you can take to close vulnerabilities.

• Eradication

The eradication phase of an incident response plan focuses on fixing the vulnerabilities that enabled the breach in the first place. The specific steps you take will depend on the attack scenario. However, your IR plan should outline processes capable of identifying how data was compromised and how to eradicate the security risk in all potential scenarios.

Suppose your systems were infected by malware. You would remove the malicious code and isolate all affected devices, apps, and systems from your primary network. If an attacker managed to breach network security via compromised employee credentials, you would immediately freeze the corresponding account.

• Data and system recovery

Once you've removed the threat, you can focus on restoring your systems. Depending on the severity of the attack and the complexity of your environment, this process can be challenging. A dedicated IR plan should eliminate the risk of similar attacks succeeding to further neutralize threats and negate cumulative damage.

You should test and monitor all affected systems once remediation is complete. This will ensure that your incident response measures worked as intended and give you the time to correct any persistent vulnerability flaws.

• IR reports and summary

Once you've completed the previous step, your security teams should review the incident and identify opportunities for improving it. Your IR team should evaluate which parts of your IR plan worked and which encountered issues.

Assessing every step of the process is critical - discuss what happened, why it happened, how you managed to contain the situation, and what could have been executed differently. It's essential to pinpoint gaps in your plan and determine whether it is easy to understand and follow.

Typically, it's best to evaluate a past incident a week or two after its occurrence so your teams can have enough time to consider the situation from every angle, with the incident still fresh in their memory.

The primary purpose of the last stage is to identify issues and gaps in your IR plan, call out responsible members for mistakes made, and ensure that inefficiencies won't occur in the future. If the IR process didn't go as planned, this might indicate unclear documentation, insufficient staff training, or poorly outlined response actions.

However convenient, reactive security has one major disadvantage. Threat actors design and enhance sophisticated threats that often target unknown vulnerabilities and go unnoticed by traditional security solutions. If such a threat bypasses network security, your entire IT environment may be compromised. And by the time reactive tools react to it, you may already be experiencing security breaches leading to data loss, downtime, and hindered business processes. This is why it's critical to employ proactive security measures in addition to traditional cybersecurity means.

Let's explore what that is, how it works, and how to implement it most efficiently in your business.

Threat hunting (or "cyber threat hunting") is a proactive security approach focused on the detection and response to potential threats lurking in your network. A cyber threat hunting program will monitor endpoint activity, collect telemetry data, look for indicators of attack (IoAs), and analyze gathered threat intelligence to pinpoint suspicious activity and remediate threats before they become a full-blown data breach.

If attackers gain access to your system, they can remain hidden for months, meticulously collect security data and confidential materials, or obtain login credentials to infiltrate your entire network. If an attacker causes a security breach, your organization will need a reliable, proactive security strategy to hunt down advanced threats and stop them in their tracks.

In today's threat landscape, threat hunting is necessary to ensure suspicious activity detection, long-term risk assessment, and security vulnerability identification.

Cyber threat hunting combines big data processing power with the human element. Here, we have automated security tools collecting immense amounts of endpoint activity data to detect, identify, and investigate potential threats and alert human threat hunters of possible remediation and incident response actions.

A successful threat-hunting program will procure complex security incident investigation to study cyber actors' tactics, techniques, and procedures (TTP) to present security professionals with in-depth knowledge of an ongoing attack. It will also assist in attack surface management, penetration testing, vulnerability assessments, endpoint detection and response, and data loss prevention strategies.

As automated threat hunters rely on machine learning to investigate all attack surface components on your network, they can bypass the human-error factor in detecting threats. Nevertheless, proactive threat hunting relies on your security teams to follow up on reliable findings and mitigate threats as quickly as possible.

Threat hunters assume that an attacker is already in a target system, so they initiate threat intelligence investigations to pinpoint suspicious behavior that may be linked with malicious activity. Typically, threat-hunting investigations are divided into three primary categories.

This approach combines extensive data analysis and machine learning to analyze massive amounts of information to detect suspicious activity that may suggest malicious actions. Once anomalies have been detected, security teams can start threat hunting to neutralize potential threats.

This threat-hunting approach often relies on new threat data identified as malicious through a large volume of crowdsourced threat intelligence, presenting insights into the potential attackers' tactics, techniques, and procedures (TTP).

Once the security technology identifies a new TTP, threat hunters will inspect their own environment for the specific TTP indicators and mitigate potential risks.

Dedicated threat hunting can utilize tactical threat intelligence to keep an inventory of all known indicators of compromise (IoCs) and indicators of attack (IoAs) associated with the current cyber threat pool.

All cataloged IoCs and IoAs will act as triggers that alert cyber threat hunters of potential ongoing attacks or unusual network traffic on the target system. However, relying on compromise threat indicators is more of a reactive security measure. (such an intel-based approach will also check hash values, IP addresses, and domain names)

Being "proactive" relates to anticipating future needs, issues, changes, or problems and taking action appropriately. When it comes to cyber threats, proactive security means the same - it encompasses everything you need to do before an attack can occur on your network. Unlike reactive security, which responds to an attack after it has already taken place, proactive security focuses on countering attacks in the first place.

Proactive security methods comprise all processes and activities carried out regularly within a company to prevent risks. Such processes can include:

• Identifying and patching network infrastructure vulnerabilities to deny security gaps
• Preventing security and data breaches
• Regular vulnerability assessments and security testing
• Penetration testing

Designing a stellar cyber threat-hunting program is a complex and highly intensive process. Companies should aim to streamline critical tasks to ensure fidelity and scalability. While modern threat-hunting tools will make a significant difference, taking a well-organized, adequately structured approach to threat-hunting is essential.

For a threat hunter to be effective, companies need to procure the required preparation. Gathering information, deciding on threat hierarchy, and outlining threat mitigation approaches are crucial.

Let's explore how to break the process down to save time and resources.

The first phase of a robust threat-hunting plan is critical information inventorization. Companies should perform a cyber threat analysis to address relevant data on the company network, where it is located, who can access it, and what defenses are in place to protect it.

Gathering as much security data as possible before threat hunters initiate the program will ease and quicken the process. In the best-case scenario, your inventory will cover all critical data and provide the following details:

• Physical and logical topologies
• Security control data - make, model, OS, and configuration
• Network device data - make, model, OS, configuration
• Host data - make, model, OS and configuration, and hardware configuration
• Pan-infrastructure data for content management systems, hypervisors, and data interchange systems (the information should include versions, access lists, and security controls)
• Access control and access list for all critical digital assets (including mobile devices)
• App-to-hosts data flow for solutions and services
• Primary contact points for all critical assets
• Log formats, locations, and types for all critical assets

After you have a complete inventory of critical assets, you should categorize and prioritize them to determine the most crucial assets to protect via threat hunting.

To determine which digital assets require the highest level of protection, every company should examine its specific needs, goals, and potential threats to its data. Be it intellectual property, client accounts, or a services platform, every organization should tailor a unique threat-hunting program.

Threat hunters in your organization will benefit greatly from a threat-hunting roadmap. Knowing what threats are lurking out there, how they can impact your network, and how you can mitigate them most efficiently will ease the threat-hunting process significantly.

If you have the resources, you can combine a dedicated threat-hunting team with a robust cybersecurity solution to gather tons of security data. Your security teams can then use that same data to craft a highly customized approach to searching for cyber threats and invoking automatic alerts based on your company's industry threat landscape and the essential assets in your inventory.

Once inventory, asset prioritization, and threat activity reports are complete, a threat analyst can create a sophisticated roadmap of the most pressing threats to investigate.

Typically, the process includes generating a list of priority intelligence requirements (PIRs) that will present you with specific questions regarding cyber threats (and threat actors) to guide your threat-hunting program.

A proactive threat hunter typically follows three primary steps to carry out a hunt - a trigger, an investigation, and a resolution. A successful threat-hunting program will go a long way in mitigating advanced threats and ensuring a reliable data loss prevention strategy.

Threat hunters use trigger points to identify a specific network area or system to investigate further when EDR tools detect suspicious activity that may suggest malicious actions. A hypothesis-based approach toward a new threat is often a trigger for proactive threat hunting.

Threat hunters use advanced threat intelligence technology, such as endpoint detection and response (EDR) tools, to analyze potential malicious activity (or compromise) within a target system. The investigation phase continues until the malicious actions are fully studied and remediated or deemed benign to conclude a successful threat hunt.

The last phase relates to efficiently communicating relevant malicious activity intelligence to security teams so they can properly respond to the incident and mitigate cyber threats. The gathered intelligence about both unharmful and malicious activity is typically fed into the automated security technology to improve effectiveness and minimize false positives without further human intervention.

Throughout the last phase, cyber threat hunters will gather as much data as possible about attackers' behavior, attack patterns, and operational techniques to determine trends in the company's security environment, eliminate current gaps, and propose improvements to the cybersecurity strategy in the future.