Taking a proactive approach to cybersecurity is critical for Federal agencies in this robust and complex digital landscape. One way to do this is through threat hunting, which involves actively searching for and identifying threats that may have evaded traditional security measures. However, threat hunters often struggle to “show value” to the broader organization. This can be attributed to a few common reasons:
“We didn’t find anything”: Threat hunters, by definition, are hunting for cyber threats assumed to be in the environment. However, assumptions are just that – there is no way to know if an adversary has bypassed your security measures until you hunt for them and prove it. Despite this, some may mistakenly assume their threat hunters are ineffective simply because they did not find evidence of an APT during every hunt.
Intangible Nature of Prevention: Prevention is often seen as the primary goal of cybersecurity efforts. Threat hunting, however, is more about identifying and mitigating threats that have already penetrated defenses or are evading detection. This proactive approach can be harder to quantify in terms of direct ROI compared to traditional security measures like firewalls or antivirus software.
Resource Intensiveness: Effective threat hunting requires skilled analysts, advanced tools, and substantial resources. Organizations may struggle to justify the investment in threat hunting activities, especially if they don’t see immediate or tangible results.
Ultimately, showing value in threat hunting can be done through effective, precise communication and training your threat hunters to be better observers while hunting. Threat hunters must answer three things:
- Is/was the APT present in the environment?
- What else did you find?
- What are you doing about it?
With a properly scoped hunt hypothesis, sound hunt analytics, and reliable data, threat hunters can confidently report their findings. Most times threat hunters will not find evidence of the targeted APT in the environment – and that is understandable. The importance of this outcome is that it “proves the negative” or guarantees that based on the hunt scope and criteria, the threat hunt team can definitively claim that evidence of the targeted APT was not found. Proving the negative can also provide insights into where the organization’s defenses are strong and effective.
During a threat hunt, hunters will encounter numerous security gaps. Misconfigurations, unpatched systems, inadequate access controls, shadow IT, lack of security visibility, weak authentication mechanisms, anomalous behaviors, and even insider threats are all security gaps threat hunters commonly observe. A good threat hunting team will make these observations — a great one will log them, report them, and recommend controls or other remediations to close said gaps. Communicating these observations effectively enables improved security posture, making it more difficult for attackers to penetrate cyber defenses in the future.
At Edgewater, we recently hunted APT29 (a.k.a. Midnight Blizzard) for one of our federal clients. This hunt focused on discovering evidence of Midnight Blizzard exploiting accounts within the client’s development and production cloud tenants. While we did observe several accounts with unusual authentication activity and a few high-risk cloud applications that had high permission level access, thankfully, we were able to prove the negative and definitively claim that Midnight Blizzard had not compromised our client’s information. Additionally, Edgewater’s experts provided detailed recommendations to the client to improve their cloud account password spraying detection capabilities using machine learning, and that they immediately enable and enforce MFA on all accounts in their development cloud tenants.
At Edgewater, our team of experts works together to review the data, share insights, and develop strategies for improving our Federal client’s security posture. We take this responsibility seriously and are committed to using the insights we gain to improve defenses and protect the missions of the Federal agencies we serve.