Threat hunting: Improving resilience with an intelligence-driven, hypothesis-based approach
February 5, 2019
In today’s business environment, enterprises are in a never-ending arms race. An arms race against savvy, persistent and malevolent threat actors who are dead set on infiltrating their digital infrastructures. Not only are they adept at evading traditional security controls, but they strike with focus and pace while remaining well-hidden within networks.
So, how do enterprises keep pace? They push past the limits of traditional cyber defense by adopting a proactive, threat-centric approach. An approach that puts them inside the mind of their adversaries so they can better understand the variety of tactics, techniques, and procedures (TTPs) that are used to compromise networks, perform malicious or unauthorized activity, and evade detection.
Accenture’s approach focuses on conducting threat hunts to uncover subtle intrusion attempts that security monitoring systems usually miss. Unlike a traditional monitoring capability, where an analyst will investigate events based on alerts, our approach combines actionable intelligence with testable hypotheses to drive outcome-based operations. Leveraging this approach enables expansion of visibility and detection capabilities by moving beyond the boundaries of "known bads" and into uncharted attack surfaces, to proactively research, develop, and execute advanced threat hunting missions.
Effective threat hunting is predicated on three primary fundamentals:
It's not all about tools and technology.
More art than science, threat hunting combines advanced security experience with continual outside-the-box thinking to keep pace with adversary tactics. Like that of a detective, it’s a profession that requires problem-solving skills and the tenacity to learn as much as it does technical knowledge or hands-on-keyboard experience. In other words, it takes a curious mind and creative thinking to solve a crime.
So, less beat cop, more Sherlock Holmes, threat hunters go beyond securing a crime scene and preserving evidence. Threat hunters must construct specific, provable hypotheses — based on contextualized, actionable threat intelligence — that aim to connect the dots, determine what's normal and what's not, and identify outliers.
Consistent methodology and approach
Though hypothesis-based threat hunting is not a new concept, few organizations can dedicate the resources, process rigor and governance support required to effectively implement this approach at scale.
To be successful, a threat hunting mission must draw on threat intelligence and move logically through an attack life cycle into considerations for specific adversary profiles and their associated TTPs. At Accenture, our results-oriented detection approach requires hunters to think methodically about how an attack could be executed and hypothesize likely outcomes. With a goal of detecting and disrupting an attack as early as possible in the life cycle, we fortify this approach with risk context and our ability to think like adversaries.
Finally, given the complexity and far-reaching impact of threat hunting across an enterprise, we advocate the deployment of a strong governance structure, the application of defined processes, and the establishment of clear roles and responsibilities to help ensure a successful and sustainable capability. Without a consistent approach supported by strong governance, quantifying progress for leadership – for example, by demonstrating risk reduction, dwell time improvements, or overall resilience improvements over time – can prove challenging.
Focus on the big picture—improving overall cyber resilience
As the enterprise technology environment is constantly changing and growing, intelligence-driven, hypothesis-based threat hunting will consistently expose problem areas and unmanaged risks — and that's not necessarily a bad thing. An advanced threat hunting capability often forces organizations to re-evaluate the efficacy of their security programs and become better informed about the data, people and technology environment that drives the business.
Accenture provides a global end-to-end threat hunting solution that merges best-of-breed tools and actionable security intelligence from iDefense with highly skilled, seasoned threat hunters who, with their real-world security operations center (SOC) experience, can explain risks at the highest level and transition findings into actionable operational details. No matter the industry, cyber defense strategy or organizational maturity level, our goal remains the same: to help enterprises outpace a constantly evolving threat landscape.
Accenture follows a phased threat hunting life cycle. Underpinned by threat intelligence, situational awareness, and consistent communications, this closed-loop life cycle is intended to promote the proactive, analytical and creative nature of threat hunting missions while simultaneously feeding hunt data and outputs back to enrich an organization’s entire cyber defense Program.
In our next blog post, we’ll explore Accenture’s approach to threat hunting in depth.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks