Considerations when Outsourcing Threat Hunting
Threat hunting has become a fundamental security process within organizations. It targets threats that might have been missed by traditional detection methods like as firewalls, intrusion detection systems, malware sandboxes and SIEMs. This article covers the various considerations that need to be taken when outsourcing or developing an internal threat-hunting program.
Internal vs. External Threat Hunting
Internal threat hunting differs from external threat hunting in that it is an internally-managed function within the organization. The security department constitutes an incident response (IR) team that is responsible for handling and hunting threats that might plague the organization. Normally, a balance must be struck between human skill set and detecting tools to allow for an effective team.
Organizations that lack a threat-hunting function might seek to outsource it to cybersecurity companies that offer such services. This externally-managed function is what is known as external threat hunting. Internal and external threat hunting each have pros and cons that should be discussed.
Pros of an Internal Threat-Hunting Function
Having your own threat hunting function within your organization has a couple of pros to it. They include:
Compared with outsourcing threat-hunting functions to a third-party cyber-security company, assembling an internal threat-hunting team means you size of the team to work with and the necessary tools to use. If you like, you can gather these assets at a lower cost.
Ability to streamline
Internal hunting teams are normally compact in size. This allows you to streamline the hunting process by defining the datasets that are most critical and thus require the most attention. This allows your team to work efficiently and effectively.
Reduced infection dwell time
Hunting allows you to reduce the amount of time infections may dwell within your organization undetected, effectively preventing an otherwise catastrophic breach.
Hardened attack surface
Hunting allows you to determine the areas more prone to infection and harden the organization, anticipating an attack. This makes it more difficult for attackers to penetrate the organization.
Exposure to external threats
Hunting exposes new threats to your attention and allows you to keep tabs with the security landscape, especially with the current state of increasing ransomware attacks against organizations worldwide.
Cons of an Internal Threat-Hunting Function
Internal threat-hunting faces several challenges that might prevent your organization from establishing a team to handle it. These challenges include:
Building an incident-response team requires gathering competent cybersecurity skill capable of detecting threats within the organization. The shortage of these skills is something you should be prepared to deal with, especially in the long run, by conducting training for new members to the IR team.
The process is involving and time-consuming
Hunting is an involving process, and getting management to agree to the development of such a function may be met with opposition. Later, we will discuss the points you should note while building the ultimate threat-hunting team and how you would build a business case to get this approved at your organization.
Accuracy of response
You should be aware that the accuracy of your responses will vary greatly depending on the level of skill you choose to adopt within your organization, and the tools at their disposal. Internal hunting teams are prone to missing some threats, as compared to cybersecurity companies that focus on hunting and have dedicated numerous resources for that.
Pros of an External Threat-Hunting Function
Due to some of the challenges above, some organizations have chosen to outsource their threat hunting. The following are some of the advantages that come with outsourcing this function.
With an outsourced threat-hunting function, you are most likely to receive more accurate, faster responses. This is because companies that handle this task focus entirely on hunting and have honed their skills with time.
Outsourced hunting is a continuous activity that runs on a 24/7 basis. Considering the large amount of data generated, especially by large organizations, security companies offer threat-hunting services especially since they have developed in-house tools that aid them in conducting the hunting process.
Cons of an External Threat-Hunting Function
External hunting is expensive
Outsourcing this function to a company that handles such activities is an expensive affair, mostly since hunting is a round-the-clock affair that requires incredible cybersecurity skills and well-trained, certified threat hunters.
Data security and privacy
Most organizations battle with the idea of outsourcing functions such as threat hunting because of the nature of the work they are involved in. In this age of data privacy and the recent GDPR regulations, the loss of customer data and intellectual property might be the difference between the success and failure of an organization. As a result, organizations will tend to consider having an internal threat-hunting function.
Considerations when Outsourcing Threat Hunting
In order to ensure effective security, a number of considerations must be put in place before outsourcing threat hunting.
Reliance on Traditional Detection Methods
Threat hunting is only as good as the data it collects. For example, according to this 2018 threat hunting report, only 37% of organizations were leveraging user behavior activity to feed their threat-hunting program, and only 54% were using data collected from Active Directory. Things got worse. Only 19% had integrated file activity monitoring into their threat-hunting platforms. Before outsourcing threat hunting, it is important to understand how much information is being collected and if traditional detection methods are being excessively relied upon.
Cybersecurity skills shortages are nothing new, but this is causing recruiting chaos according to new research. CSO Online reports that 45% of organizations claim to have a problematic shortage of cyber skills. 70% of organizations report the skills shortage has had a direct impact, such as increased workload for existing staff, the need to hire and train junior employees, and that old problem of staff reacting to emergency issues rather than engaging in strategic planning or training.
It is therefore necessary to determine the cybersecurity skill of security personnel within the organization, and if it is adequate enough to handle threats. If not, then you would have to consider outsourcing threat hunting functions.
Organizations often face much bureaucracy and politics when it comes to enforcing ideas. For example, convincing management of the need to expand the incident response/threat hunting team might be met with opposition that could lead to a shortage of personnel to handle situations. This is something that should be considered before outsourcing threat hunting.
Complexity of Staying Informed on Security
Modern malware is sophisticated, hard to detect and well-targeted. In fact, according to Verizon’s latest Data Breach Report, companies on average went more than 200 days between the time they were breached and the day they discovered the incident. The confidence level of your security team should be taken to consideration when considering outsourcing threat-hunting functions. This is important, since attackers are getting increasingly smarter at finding ways of avoiding detection.
Building a Business Case for Outsourcing Threat-Hunting Functions
Engaging a service provider to handle threat-hunting functions at your organization will require organizational buy-in from IT and security leadership all the way up to your CFO or CEO. How then can you build a business case for hiring a solutions provider?
Capitalize on an incident! Never let any incident go to waste. If your team lacks adequate resources or funding, leverage each incident as an opportunity to build your case. For example, you might approach upper management and make the following report:
“The incident that just occurred was a result of lacking a robust security program with layered controls. In order for us to be more effective at detecting and preventing future attacks, we need A, B and C.”
Building a proper case for a budget will get you to add to your architecture effectively by, for example, implementing passive defense tools and active defense procedures through people, process and technology. You may then acquire a data-driven defense process based on intelligence.
After acquiring these, a report would be able to capture the metrics on the number of breaches that have been prevented.
Things to Note While Building the Ultimate Threat-Hunting Team
Sometimes building a threat-hunting team or function might be favored over outsourcing. We’ve compiled some points to note while building your team/function:
Carving out the time to hunt threats is an important affair. Most threat hunters juggle between other duties they perform, and mostly only hunt when warranted by an incident. You need to consider the two biggest hurdles — skill set and data — and determine how best to handle this with the resources currently available to you.
Go beyond reacting to incidents
Most organizations are reactive, not proactive, in handling security incidents. They rely on tools such as SIEMs and firewall logs as the impetus to launch an investigation. A proper hunt begins with a hypothesis where a hunter creates a scenario based on threat intelligence, data analytics or an anomaly. The start is a “what if” question rather than a response to an incident.
Implement the right tools
About 90% of companies use existing tools to help hunt for threats, with another 61% using customizable tools, such as scripts. A lot of hunters spend time modifying current tools in order to aid in hunting, and this can significantly slow down the hunting process. Skilled hunters often look for solutions that are not noisy and do not report any false positives. However, the tools should also allow them access to the raw data if they need to. You should therefore invest in acquiring the tools and skills necessary for your organization’s needs.
Incorporate what you learn
In order to make the threat-hunting process a continuous one, you need to incorporate the lessons learned while hunting into the process and tools being used. It is a waste of time to keep repeating the same steps each time you are hunting. The learned process can initially be added into a playbook. Such formalized processes are key for organizations to incorporate lessons into their incident-response and hunting processes. Your security team needs to ensure that playbooks are about processes and not tools.
The next step is to automate any best practices. The ability to automate speeds up threat hunting and make it less likely that telltale evidence of a compromise is missed.
You need to operationalize threat-hunting lessons by using the incidents as training material that can be reviewed and used by your security department, even for purposes of expanding your threat-hunting team.
In this article, we discussed internal versus external threat hunting and the advantages and challenges that accompany each. We discussed the considerations to take before outsourcing threat hunting, as well as the things that are important to note while building the ultimate threat-hunting team. We further examined how you would develop a business case to get started with the threat-hunting function within your organization.
It is worth noting that most organizations struggle with getting started and this often results in disastrous consequences. So don’t delay — go ahead and get started!
2018 Threat Hunting Report, The Insider Threat Security Blog
Improving Threat Hunting with Managed Security Services, Digital Guardian
The Benefits and Challenges of Threat Hunting, Alert Logic
How to build the best cyber-threat hunting team, TechBeacon