In 2019, one of the world’s biggest casinos called in a threat hunting team to perform a final piece of cyber security assurance to protect the identities and finances of its billionaire clients. The casino was using top-of-the-line security tools – the type of gear rarely seen outside a defence installation. Its last red team penetration test hadn’t been able to crack the state-of-the-art security.
They didn’t know it, but attackers were already inside.
Our threat hunters found more than 40 pieces of malicious malware lurking on their systems. It’s a cautionary tale for any organisation that believes its cyber security controls are working. Because, on paper, the casino did everything right. It had a well-oiled, highly qualified Security Operations Centre (SOC) and leading-edge tools. It was regularly testing its infrastructure.
What went wrong?
The casino relied on its SOC to detect a breach. Cyber-criminal behaviour has changed, and threat actors are more sophisticated than ever.
The job of your SOC is to minimise the risk of attackers getting into your system by identifying, analysing and reacting to cybersecurity threats. But your SOC isn’t perfect. It won’t always detect every single breach.
This is why, even though companies are accelerating their investment in monitoring and detection capabilities, the last five years have seen a 67% increase in security breaches.1 Once an attacker breaches your defences, it takes them just 4 or 5 hours to compromise more end points.2
Just imagine the devastating impact on the casino and its clients if the malware hadn’t been detected in time.
Why can’t my SOC guarantee a perfect defence?
Because the job is too big and too complex – and the cards are stacked against them. For example, your security tools will catch the vast majority of common threats. But most undetected breaches are targeted to your industry – and even to your organisation. Creating infrastructure that can catch these breaches requires skilled and highly specific configuration of your tools. Even the best of the best don’t always get every single permutation right. And you only need one attack to get through. Instead, you need threat hunters, with the training, equipment and time to:
- Take a radically different approach – A threat hunter starts from the premise that there’s already been a breach. They hunt years of logs aggregated for every alert that’s ever arisen – and they bring with them the storage and computational power to do it.
- Think like an attacker – Rather than looking at your organisation through the lens of its security infrastructure, threat hunters think like an attacker. They see what an attacker would see if they were trying to break in. Looking for tiny anomalies in the noise of the current system, they follow the breadcrumbs.
- Look at the whole story – Threat hunters understand organisations rarely have perfect logs, which means current security alerts only capture part of the story. Hunters use specialised tools to gather and extract the missing logs to fill in the blanks.
- Leave no stone unturned – To make their job manageable, SOCs check and then eliminate friendly, ‘white-listed’ applications from their scanning purview. Hunters look at everything, no matter how innocent it appears.
- Recognise a hacker’s footprint – If an over-worked SOC analyst finds a malicious IP communicating out of your organisation, their response is often to quickly block the IP on your firewall. This tunes out the indicator but it ignores the fact that someone is trying to get in. In contrast, a hunter will see the malicious IP as a behavioural signal of a potentially broader compromise. They will follow the logs down to see if a host has been compromised and start looking for answers: Who is attacking? How many other hosts are speaking to it? How far has the infection spread?
When should you call in the threat hunters?
Threat hunters should be an essential facet of any cyber security strategy. Triggers to call them in include:
- Breaches – Your SOC has detected an attack and remediated it. Check to make sure it’s been completely eradicated. If even one compromised workstation remains, your company will soon be reinfected – as happened in Yahoo’s 2013 email hack that compromised 3 billion accounts.
- New security tools – Don’t build a wall if the attackers are already inside. Clean up the system while your SOC learns to use the new tool.
- M&A – Does your latest acquisition come with remote-access trojans embedded in its systems? Find out before you integrate your infrastructure.
- Assurance – Give your stakeholders and regulators absolute confidence that your systems haven’t been compromised.
As an added bonus, each time a threat hunting team works in your organisation, your SOC will learn from it. Hunters will work with your security teams to show them new methodologies to detect attackers already inside the system and how to remediate threats when they’re uncovered. It’s a great, practical learning experience, resulting in security teams adopting threat hunting practices in their day-to-day monitoring.
Who’s inside your system?
As the story of the casino warns, even the most sophisticated defences can be breached by persistent, well-funded attackers. There’s only one way to find out if your system is clean: call in the threat hunters.
1 Accenture Cost of cybercrime survey 2019
2 Source: iDefense