Cybersecurity approaches differ depending on companies’ risk profiles in location, industry, or compliance requirements. One tried-and-true solution regardless of a company’s risk is an active managed detection and response (MDR) threat hunting program. Threat hunting MDR seeks out all internal vulnerabilities and external threats, calculating risks and executing preventative and response measures.
What is Managed Detection and Response Threat Hunting?
Companies can operate MDR internally, but many find optimal ROI in outsourcing their threat hunting to a managed security services provider (MSSP) to manage top MDR practices, like:
- Detection of security vulnerabilities, threats, risks, and incidents
- Response to, recovery from, and management of incidents
- Root cause analysis, informing other preventive safeguards
- Long-term regulatory compliance and patch monitoring
Beyond these practices, companies can take other, more passive approaches to produce similar results to MDR. Security program advisory can help you select the best one.
Threat Hunting MDR Practice #1: Cyber Threat Detection
To stop attacks, companies need to detect threats and act upon them as soon as possible. This is why threat detection is the first and most essential part of any MDR scheme. Threat hunting MDR requires visibility over internal resources, coupled with threat intelligence compiled from past attacks on the company and peer institutions. Public databases such as the Common Vulnerabilities and Exposures (CVE) list are invaluable for prevention and mitigation.
At the most basic level, any threat hunting capability begins with sound security architecture implementation. Resources employees require to perform their job responsibilities must remain readily accessible to authorized users. However, these functionalities cannot come at the expense of sensitive data’s privacy and security. Lifecycle management for all physical and virtual assets should be risk-informed, with regular scans (and results) streamlined from a central dashboard.
How Cyber Risk Reporting Facilitates Cyber Threat Hunting
Companies that don’t already have a cybersecurity threat hunting capability in place may find the prospect of installing one daunting. In these cases, it can help to begin with a lower-stakes scan of individual system segments, breaking down the process into manageable steps.
For example, RSI Security offers a free cyber risk report focusing on three vulnerabilities to the following:
- Network threats – Including potential gaps in cybersecurity coverage across all servers and other endpoints
- Web-based threats – Including up-to-date code and patches for all owned and operated websites, web apps, and other web-based functionalities
- Dark web threats – Including potentially damaging information about your company, whether true or false, lurking on dark web marketplaces or forums
Any vulnerabilities or threats identified within these areas may be addressed immediately or folded into more comprehensive risk mitigation practices. Since many cybersecurity concerns are interconnected, an identified threat targeting one attack vector could likely lead to an eventual attack or other incidents elsewhere, such as on a web application or cloud computing platform.
Threat Hunting MDR Practice #2: Incident Response
Whether focused on threats proper or actualized attacks, the second most critical practice for MDR is incident response. Companies need to ensure they can stop the spread of an event when it occurs, recover business functionality as soon as possible, and minimize short- and long-term losses. Organizations can optimize their incident response efforts for threat hunting by defining threats as incidents, responding to them with the same vigor as full-blown data breaches or attacks.
Another tactic involves preparing internal personnel for potential incidents with real-time training modules, such as an incident response tabletop exercise. Companies can design scenarios in which individual staff members exercise their responsibilities to stop simulated attacks without actually putting any resources in real danger.
Simulations can be repeated to address different areas (malware, cloud, networks, etc.) or procedures (reporting, backup recovery, etc.). Tabletop simulations are closely related to penetration testing—see below—albeit at lower stakes and total costs.
Cybersecurity Threat Hunting and Incident Management
Beyond real-time incident response, companies may also wish to fold more holistic incident management into their threat hunting MDR capabilities. This involves six essential processes:
- Incident identification – Closely related to threat detection, this capability detects and flags incidents as soon as they occur, minimizing response time to facilitate a full recovery.
- Inventory management – Incidents need to be logged as soon as possible, and then all relevant assets’ statuses need to be updated and monitored, accounting for the incident.
- Investigatory analysis – Once flagged, investigation needs to determine a diagnosis to inform both short- and long-term mitigation and recovery practices as soon as possible.
- Mitigation deployment – Pending diagnosis, a mitigation strategy must be developed and deployed, with roles assigned and escalated as needed throughout the response.
- Resolution and closure – An incident should not be closed until all elements are resolved, including the removal of all traces of the attack not necessary for evidence.
- Customer satisfaction – Companies must dedicate resources to their customers’ satisfaction before, during, and after an incident to avoid long-term reputational costs.
- Collectively, these practices ensure that incidents are learning experiences rather than causes for institutional collapse. Incident management minimizes all incidents’ total impact over time.
Threat Hunting MDR Practice #3: Root Cause Analysis
The third critical practice a cybersecurity threat hunting MDR program should include is root cause analysis (RCA). Companies need to ensure that their threat mitigations dig below the surfaces of threats, such as symptoms. Analysis of potential threat indicators and respective reasons should determine why a threat occurs and how to prevent recurrence.
For example, a company falling victim to phishing scams should study the vulnerabilities leading to these attacks. Patching gaps in firewalls will likely provide more substantial long-term ROI than addressing specific qualities inherent to individual attacks.
Most critically, results from RCA and other threat analytics should be shared widely and inform company-wide cybersecurity awareness training. As soon as conclusive evidence is found that a particular factor caused a given threat, all stakeholders need to be made aware of what they can do in their roles to prevent that factor from happening in all future scenarios.
Penetration Testing: Advanced Cybersecurity Threat Hunting
Another approach companies may take to cyber threat hunting involves simulating a hack of your systems to identify possible attack routes and patterns. Penetration testing provides another simulation technique as a form of “ethical hacking” in which an individual or team of experts uses offense to inform defenses. Pen-testing offers unparalleled insights into threats you might otherwise miss.
Typically, pen-tests are either external (“black box”) or internal (“white box”). The former is conducted without any privileged knowledge of the target’s security configurations. The latter provides the pen-testers with target insight or privileged access to company resources. Thus, external tests are better suited for gauging risks in perimeter security, while internal tests are apt for identifying flaws in stopgaps and safeguards between supposedly segmented systems.
Some companies may opt for a hybrid (“grey hat”) approach that incorporates elements of both types of tests. For example, a simulated attack with some insight may begin externally then continue internally. In any case, there are few better ways to know exactly how an actual attacker would compromise your systems if given a chance.
Threat Hunting MDR Practice #4: Regulatory Compliance
Finally, the most comprehensive and robust MDR programs should also prioritize regulatory compliance to avoid costs associated with noncompliance. For example, consider the following applicable elements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
- All covered entities in and adjacent to the healthcare industry must safeguard patients’ data per the prescriptive Privacy and Security Rules. The former delineates accepted uses and disclosures for protected health information (PHI), while the latter describes administrative, physical, and technical safeguards to ensure proper use and disclosure.
- Any breach exposing PHI constitutes an infraction of the Breach Notification Rule, which can trigger HIPAA Enforcement. Enforcement can include civil money penalties of over $1.7 million per year, along with up to 10 years’ imprisonment, per the Federal Register.
- Any infraction of the Privacy or Security Rules can constitute a Breach. Unaccounted-for threats can constitute a Security Rule violation, so well-protected companies can easily fall victim to HIPAA compliance enforcement and long-term reputational damages.
Similar possible chains of events exist within other widely applicable regulations, such as the Payment Card Industry (PCI) Data Security Standard (DSS). Depending on your industry, any breach of required practices might constitute a threat.
Patch Management and Long-term Threats to Compliance
One especially challenging element of compliance is that many applicable frameworks are dynamic, frequently changing to accommodate the evolving risks that threaten industry- or location-specific cybersecurity environments. This difficulty is further compounded by the fact that companies must often comply with multiple frameworks simultaneously.
One solution to addressing all compliance needs is adhering to a single omnibus framework, such as the HITRUST CSF. Another solution is integrating a threat hunting MDR program with robust patch availability reporting. If potential noncompliance infractions are identified as threats, scanning capabilities can be trained on identifying and mitigating these gaps swiftly and with appropriate patches.
These same functionalities can also be used to map controls from one framework onto another, as in the case of a company changing industries or locations or onboarding a new framework. For example, Department of Defense (DoD) contractors compliant with DFARS and NIST SP 800-171 requirements will nonetheless need to augment their controls for CMMC certification.
Patch management and MDR can be the difference between successfully demonstrating compliance or failing to do so.
Other Approaches to Comprehensive Threat Management
Active, MDR-informed approaches to cybersecurity threat hunting offer optimal visibility and preventive capabilities. However, they are not the only way to manage threats and risks at an enterprise level. Many companies may opt for more passive, less hunt-like programs. A threat and vulnerability management program might produce similar results with methods such as:
- Inventory, threat, or vulnerability monitoring activities logically separate from incident response efforts
- Endpoint lifecycle management focused on threats as one part of the broader lifespan
- Internal or external risk rating reports leading to outsourced risk mitigation services
Alternatively, companies may opt for a security information and event management (SIEM) or file integrity monitoring (FIM) solution, standalone or integrated into other security architecture.
Perimeter, Cloud, and Access-based Cyber Threat Monitoring
An element of active and passive threat management that is likely to determine how companies approach it is the location and nature of their most sensitive resources. Companies that operate in a more traditional setting, such as an office, should prioritize establishing a secure perimeter through firewalls and proactive web filtering. These architectural elements minimize the amount and severity of risks, potentially making a more passive approach a better security investment.
Companies operating in more mobile environments, with large segments of their staff remote, might depend on more robust cloud security measures to identify and mitigate threats. These likely include strict identity and access management (IAM). Of course, a robust IAM program is not a substitute for threat management, but it reduces overall stress on MDR or similar capabilities.
Managing All Risks Across Your Network of Strategic Partners
Another factor impacting the approach companies take to threat management is the extent to which they must concern themselves with their contractors’ and vendors’ security. A company with an extensive network of strategic partners is likely to benefit from a distinct third party risk management (TPRM) program, independent or integrated into broader threat management.
TPRM is especially critical regarding noncompliance threats. To return to an example from above, a crucial stipulation within HIPAA is that business associates of a covered entity need to maintain compliance alongside the covered entity proper. This means that, if HIPAA applies to you, equivalent Privacy, Security, and Breach Notification protections need to be upheld by all third parties you work with closely, or else your company and theirs may face Enforcement.
Whether your company opts for an active (MDR) approach to cybersecurity threat hunting, it needs to account for the security and compliance risks of all strategic partners in its network.
Rethink Your MDR, Cyber Threat Hunting, and Security
Effective approaches to threat hunting MDR need to account for detection, response, root cause analysis, and compliance—at a minimum. Ideally, they should also include advanced measures like penetration testing and long-term monitoring, like patch management. However, companies may also opt for more passive approaches to the same ends.
Contact RSI Security today to determine what threat hunting approach best suits your company’s needs and means!