In today’s business environment, enterprises are in a never-ending arms race. An arms race against savvy, persistent and malevolent threat actors who are dead set on infiltrating their digital infrastructures. Not only are they adept at evading traditional security controls, but they strike with focus and pace while remaining well-hidden within networks.
So, how do enterprises keep pace? They push past the limits of traditional cyber defense by adopting a proactive, threat-centric approach. An approach that puts them inside the mind of their adversaries so they can better understand the variety of tactics, techniques, and procedures (TTPs) that are used to compromise networks, perform malicious or unauthorized activity, and evade detection.
Threat hunting approach
Accenture’s approach focuses on conducting threat hunts to uncover subtle intrusion attempts that security monitoring systems usually miss. Unlike a traditional monitoring capability, where an analyst will investigate events based on alerts, our approach combines actionable intelligence with testable hypotheses to drive outcome-based operations. Leveraging this approach enables expansion of visibility and detection capabilities by moving beyond the boundaries of "known bads" and into uncharted attack surfaces, to proactively research, develop, and execute advanced threat hunting missions.
Effective threat hunting is predicated on three primary fundamentals:
It's not all about tools and technology.
More art than science, threat hunting combines advanced security experience with continual outside-the-box thinking to keep pace with adversary tactics. Like that of a detective, it’s a profession that requires problem-solving skills and the tenacity to learn as much as it does technical knowledge or hands-on-keyboard experience. In other words, it takes a curious mind and creative thinking to solve a crime.
So, less beat cop, more Sherlock Holmes, threat hunters go beyond securing a crime scene and preserving evidence. Threat hunters must construct specific, provable hypotheses — based on contextualized, actionable threat intelligence — that aim to connect the dots, determine what's normal and what's not, and identify outliers.
Consistent methodology and approach
Though hypothesis-based threat hunting is not a new concept, few organizations can dedicate the resources, process rigor and governance support required to effectively implement this approach at scale.
To be successful, a threat hunting mission must draw on threat intelligence and move logically through an attack life cycle into considerations for specific adversary profiles and their associated TTPs. At Accenture, our results-oriented detection approach requires hunters to think methodically about how an attack could be executed and hypothesize likely outcomes. With a goal of detecting and disrupting an attack as early as possible in the life cycle, we fortify this approach with risk context and our ability to think like adversaries.
Finally, given the complexity and far-reaching impact of threat hunting across an enterprise, we advocate the deployment of a strong governance structure, the application of defined processes, and the establishment of clear roles and responsibilities to help ensure a successful and sustainable capability. Without a consistent approach supported by strong governance, quantifying progress for leadership – for example, by demonstrating risk reduction, dwell time improvements, or overall resilience improvements over time – can prove challenging.
Focus on the big picture—improving overall cyber resilience
As the enterprise technology environment is constantly changing and growing, intelligence-driven, hypothesis-based threat hunting will consistently expose problem areas and unmanaged risks — and that's not necessarily a bad thing. An advanced threat hunting capability often forces organizations to re-evaluate the efficacy of their security programs and become better informed about the data, people and technology environment that drives the business.
Accenture provides a global end-to-end threat hunting solution that merges best-of-breed tools and actionable security intelligence from iDefense with highly skilled, seasoned threat hunters who, with their real-world security operations center (SOC) experience, can explain risks at the highest level and transition findings into actionable operational details. No matter the industry, cyber defense strategy or organizational maturity level, our goal remains the same: to help enterprises outpace a constantly evolving threat landscape.
The hunting cycle: A closed loop
Accenture follows a phased threat hunting life cycle. Underpinned by threat intelligence, situational awareness, and consistent communications, this closed-loop life cycle is intended to promote the proactive, analytical and creative nature of threat hunting missions while simultaneously feeding hunt data and outputs back to enrich an organization’s entire cyber defense Program.
In our next blog post, we’ll explore Accenture’s approach to threat hunting in depth.