Enterprise Endpoint Security and Threat Hunting: The Basics
How can threat hunting supplement and strengthen your enterprise’s endpoint security?
We usually describe cybersecurity in general as a series of preventative or reactive policies. For example, in the case of endpoint security, the former includes next-generation antivirus and firewalls. For the latter, the endpoint protection capabilities include endpoint detection and response (EDR) and an incident response plan.
However, enterprises can also engage with their cybersecurity proactively through threat hunting; by doing so, you incorporate your human expertise to supplement your IT threat detection and intrusion prevention capabilities.
After all, no cybersecurity solution proves 100% effectiveness against preventing all threats. Additionally, your EDR alerts could miss potential security event information due to the scaling of your environment. Only by treating your endpoint security proactively can you ensure the most comprehensive protection.
To explore threat hunting in an endpoint security context, we read through “Threat Hunting for Dummies” an in-depth guide to the subject by solution provider Carbon Black.
Of course, we can’t possibly summarize all of the findings in “Threat Hunting for Dummies” by Carbon Black. However, we can provide an initial glimpse of the valuable data contained within the guide. We hope it convinces you to consider your own policies regarding proactive endpoint security.
What is Threat Hunting?
Threat hunting describes capabilities through which your IT security team pursue cyber attackers throughout the network. They track evidence of penetrative threats or malicious scouting activities, monitoring all of your connected endpoints for any sign abnormal activity.
When threat hunting, your team can utilize its in-depth knowledge of your environment to better detect unauthorized activity, entry, or other purposes; it uses their home-field advantage against intruders. Ultimately, this tactic recognizes that just because all appears quiet on the surface doesn’t mean an absence of hackers.
What Capabilities Does It Require?
According to Carbon Black, one of the most important resources for threat hunting is a well-composed hunting party.
For example, you should recruit people familiar with the kinds of threats most likely to target your endpoints. In addition, you should seek out individuals who have, or could quickly obtain, knowledge of your full network and the various operating systems within it. Malware can inflict small but dangerous changes to operating systems, necessitating this information. Similarly, your team should become familiar with the baseline behaviors of all the endpoints connecting to the environment; thus they can detect abnormal behaviors and investigate.
We say “quickly obtain” because you may need to seek out team members with other skills sets or personality types; after all, we still live in the midst of the cybersecurity staffing crisis. Fast learners and passionate hunters should top your candidate list as much as experienced InfoSec professionals.
However, you should also invest in giving your threat hunting team the tools necessary for their roles. This includes remediation tools, but it also requires several key endpoint security capabilities.
For example, you should have multiple threat intelligence feeds to keep your team’s knowledge of potential cyber attacks up-to-date. Furthermore, you’ll need visibility into all endpoints, including devices connecting via bring-your-own-device (BYOD) policies.
As with traditional endpoint security, every endpoint and every user can become a target. Therefore, you need to have your hunters’ eyes on everything, as much as possible.
Why Threat Hunting?
Don’t get us wrong: having a strong digital perimeter via a next-generation endpoint security solution can only strengthen your overall cybersecurity. Even if you can’t prevent all threats trying to penetrate your network, you can certainly deflect or deter a majority of them.
For example, next-gen antivirus and firewalls can help prevent ransomware and fileless malware from reaching their targets. Indeed, a tough digital perimeter can deter inexperienced hackers from targeting your enterprise in the first place.
By the same token, having a reactive plan to a detected cyberattack—most prominently through an incident response plan—only bolsters your efforts. It can help your enterprise mitigate the damage, both digitally and commercially, of a breach. As with all of cybersecurity, speed counts.
However, waiting passively for a threat to come to your detection software can still give hackers an advantage against your endpoint security capabilities. In other words, passively approaching your threat monitoring gives your enemies more time to enact their plans, conceal their activities, and potentially destroy your network.
Moreover, certain threats are inherently more difficult to detect by your endpoint security or your threat detection. One such example Carbon Black refers to as “stealthy malware.” This breed of malware works to evade antivirus detection, and often reformats or reskins itself for each new target. While stealthy malware can trigger an EDR alert, that may only occur after the malware penetrates your network.
But Do I Really Need It?
Yes. That may appear like a blunt answer, but it represents the only sane answer.
Many enterprises, most especially small-to-medium-sized businesses, believe hackers won’t target them simply because of their size. Why attack us, they reason, when we’re surrounded by so many larger targets. However, this demonstrates dangerous wishful thinking.
Hackers target whatever business they think they can exploit, regardless of industry or size. If they find a way in, they’ll take advantage of it. To survive in this perilous digital marketplace, your business needs comprehensive next-generation endpoint security. Furthermore, to supplement your endpoint protection, you need a threat hunting team consistently on the lookout for threat lurking in your environment.
The stakes for enterprises of all sizes couldn’t be higher. For large businesses, the total cost of a data breach averages at $4 million—a significant blow. On the other hand, for small businesses, the greater majority end up closing six months after a data breach.
The longer a threat dwells on your network, the more damage it does. Fortunately, with threat hunting, you can cut hackers down to size.
Again, this article only scratches the surface of the full “Threat Hunting for Dummies” guide by Carbon Black. In it, they go into more detail about potential cyber attacks, training your threat hunting team, and how a hunt actually occurs. You can read the guide for free here.