Challenges to Threat Hunting
Threat hunting is no easy task – and it never has been, but the past year has presented threat detection teams with a host of new and unrelenting challenges. And those challenges aren’t just coming from the increasingly skilled and evasive threat actors – they’re coming from every angle:
- Ineffective tools
- Regulatory changes
- The skill gap across employees
- A constant sense of urgency with a shrinking window of time
- And a general lack of operational resources across the board
Looking ahead to 2023, the SnapAttack leadership team sat down to discuss the challenges that CISOs and security leaders should keep top of mind as they make plans for their threat detection teams and programs in the coming year.
Looking Back at Threat Hunting in 2022 - A Brief Recap
2022 had its fair share of cyber threats – from supply chain attacks to major company breaches to nation-state actors, security teams were kept as busy as ever. But every year has its own mountain of threats to tackle. What really set 2022 apart was the rapidly changing tech landscape and how threat detection teams had to adapt to it.
Take a preventative stance in your threat hunting – check out our webinar, “The Art + Science of Pre-Crime Threat Hunting”
Burnt out on buzzwords
Between XDR, ZTN, SOAR, EDR, SIEM, and others…security professionals are burnt out on buzzwords. Collecting an alphabet soup of tools and solutions has only led security teams to tricky situations riddled with vendor lock-in and sunken costs. Rather than simply building better detections, many teams are so overwhelmed with new tech solutions that they’re forgetting what their work is really about. While modern security tooling is often a great way to enhance security operations, it’s easy to get distracted by shiny new objects and their single-use quick fixes. Teams will find the most value in their tools, themselves, and one another when they shift the focus from an optimized toolkit to measurably creating better detection outcomes altogether.
Spending more on tools, hiring, and everything else
Big threats lead to big spending – neither of which was any shortage in 2022. According to Gartner, information security risk management spending totaled at a whopping $169 billion in 2022 – 7.2% growth from 2021. Among the vast array of tools, investments in teams, and costs associated with each incoming threat, CISOs and security teams are spending more than ever before. Luckily, the cyber tech landscape saw some further transformations last year that leaned in the consumer’s favor as well.
Convergence of the disparate tech landscape
In 2022, the security world saw the convergence of several leading organizations and threat hunting tools. As cyber giants expanded their offerings through acquisitions and partnerships, like Google’s acquisition of Mandiant, consumers enjoyed at least some consolidation of their threat detection toolkit. And in a space where a new “tool of the week” hits the market time and time again like clockwork, any merging between security providers is a win.
What to Expect for Threat Hunting in 2023
Looking forward to 2023, there’s no alleviation of pressure on threat hunters, CISOs, or their teams – but what many teams have now (that they lacked in 2022) is the foresight, tooling infrastructure, and experience to adapt to and combat the challenges that lie ahead.
Threat Hunting Prediction 1: Increased liability for CISOs
In 2022, Uber’s former CISO was federally convicted for covering up a 2016 data breach – and while CISOs have been publicly fired or reprimanded for poor security practices countless times, this is the first time one has been criminally charged.
The CISO role is no stranger to scapegoating – but this instance goes far beyond a public reprimand. In the past year, the government has taken a more watchful, critical stance towards cybersecurity with a slew of new regulations, leaving CISOs more vulnerable than ever before. In most cases, the liability falls on the CISO and their security teams to follow strict guidelines surrounding data privacy, especially when consumer data is at play.
In 2023, CISOs can expect this trend to continue and should keep an eye out for emerging laws and regulations that have the potential to impact their operations. Additionally, they must have a complete and comprehensive understanding of their coverage as well as their gaps – and the confidence in their tools to answer the question, “Are we protected?” with certainty. And if they can’t do any of those things, they should instead prepare to shell out millions of dollars in fines for noncompliance penalties…or in more dire cases like that with Uber, a criminal conviction.
Check out how SnapAttack equips CISOs to answer the question, “Are we protected?” with confidence: Solutions for CISOs datasheet
Threat Hunting Prediction 2: More holistic approach to cyber resilience focus
Threat hunting is a demanding, comprehensive activity that requires experienced personnel, capable threat hunting tools, and advanced technology – all of which require a constant investment of time and resources. However, the culture around threat detection has become one that prioritizes quantity over quality: teams aim to acquire more tools and more people, but that doesn’t necessarily translate to more threats detected.
Enterprise drift is a major obstacle for companies, especially because of the gradual nature with which it affects security landscapes. For example, if a team installed and secured a firewall six months ago, that doesn’t mean it’s still secured today. Whether internal systems have been changed, the firewall has been tinkered with, or the organization’s general security landscape has just changed (which they constantly do), enterprise drift has occurred and that firewall is not as secure as it once was.
Now more than ever, threat hunters are operating in scattered, ever-changing environments such as the cloud…and no (as in not one) organization has 100% confidence in what their asset attack surface really looks like. To achieve a true stance of cyber resilience, threat hunting teams must take a holistic, proactive stance to cybersecurity – not a fragmented view where they’re left playing cat and mouse. Otherwise, they’re not hunting as much as they are running around in a game of high-stakes tag.
According to Forbes, comprehensive threat intelligence and detection platforms will be the key to achieving prevention in the chaotic 2023 threat landscape – investing in tools that bundle threat hunting activities along with compliance initiatives and organizational considerations as a whole will prove extremely valuable both in the coming year and the long-run.
Develop a proactive, structured threat hunting program – read our eBook, Streamlining the Threat Detection Development Lifecycle with SnapAttack
Threat Hunting Prediction 3: Common threats worsening + persisting
Every year, there are around 25,000 CVEs for threat hunters to look out for – and this past year, the MITRE ATT&CK team even added another digit to keep up with the growing volume of threats. Many attackers are abusing misconfigurations or other common weaknesses, such as multi-factor authentication (MFA) attacks and other compromises of valid accounts.
2022 was a year of persistent, worsening threats coming from every angle… and unfortunately, that isn’t going anywhere in the New Year. Zero days, ransomware, and high-value techniques like MFA attacks and cookie theft ran rampant through security teams across the country, and actors are only getting more sophisticated and evasive moving forward.
However, the takeaway here isn’t that attacks are persisting – it’s that threat detection teams need to adjust the way they hunt if they want to keep up with worsening threats. Many security teams approach threat detection through the lens of indicators of compromise (IOCs) which they deem “good enough” – but the reality is that IOCs are nowhere near close to “good enough”. IOCs are based on the dated assumption that attackers reuse the same infrastructure for every breach. However, they’re far past that – hackers constantly evolve their tactics, techniques, and procedures (TTPs) to avoid leaving a traceable trail behind them.
Initial access is, unfortunately, inevitable – and if teams think there’s no way that it could happen, that almost guarantees that it will. Today, the best way to block hackers out is to stay several steps ahead of them.
Teams can achieve a proactive, preventative stance by detecting and responding to hackers’ behavioral actions and TTPs rather than relying on the ephemeral infrastructure they’ve likely long since stopped using. That way, threat hunters can get earlier in the killchain to identify and even prevent attacks from slipping through, even when the attacker is using new or unknown TTPs.
"The IOC problem is exacerbated by the complexity of the technology landscape - it’s hard to move from tool to tool. You need to make many improvements from one tool to the next, and that’s a daunting task...just to be able to consider getting better is a mental block within itself."
Threat Hunting Prediction 4: Talent shortage
The talent shortage is nothing new in cybersecurity – but it’s certainly starting to catch up to threat detection teams everywhere. Threat detection is a complex, involved job that requires an experienced practitioner every step of the way who knows both their own and bad actors’ tools and techniques like the back of their hand. And while there’s an endless supply of entry-level cybersecurity professionals, the costs and resources to level up their skill sets are often just out of reach for SOC managers and CISOs.
Additionally, the job description of a threat hunter rarely describes someone who’s just a threat hunter. They wear several hats on the threat detection team and must have the knowledge to step into another role as the need arises.
Rather than looking for this breadth of expertise in their people, CISOs should look instead to their tools and technology stack: are their tools adequately equipping teams, regardless of skill level? It’s possible that their teams have the potential to reach the level CISOs need them at – they just need the right tools to get them there.
In this case, CISOs can look to leverage vendors to address the lower-hanging fruit, alleviating their staff to address more business-critical needs. Additionally, machine learning (ML) and artificial intelligence (AI) can enhance output from even more junior employees by automating administration, incident response, threat hunting, and threat detection processes.
Note: Cloud-based artificial intelligence solutions utilize AI and ML to identify threats without signatures resulting in ever-growing accuracy. AI constantly grows and learns from your environment; to achieve continual, automated tuning without requiring manual input, it mixes supervised and unsupervised learning. As a result, over time, both your security and threat hunting become more intelligent. CrowdStrike Falcon is a great example of cloud-based AI modeling and a pre-execution, on-sensor/cloud-based machine learning model, operating synchronously to automatically detect and respond to threats.
Conclusion: So what can CISOs do to equip threat hunting teams?
Years of increasing costs, threats, actor techniques, and operational challenges have snowballed into what is quickly looking like a complete paradigm shift in the threat detection industry. Teams are trying to keep up, but they often look in the wrong places, like hyper-specific tools and quick bandaids on their vulnerabilities.
To prepare for the next frontier of cybersecurity, one where threat actors move with stealth and expertise, CISOs have to make investments that are effective and long-lasting. They have to assess the gaps in their teams before a hacker beats them to it. They have to build a threat detection program that’s proactive, comprehensive, and cost-effective – and if 2022 has taught us anything, they have no time to waste.
SnapAttack was built by CISOs, SOC leaders, and threat hunters for CISOs, SOC leaders, and threat hunters.
By rolling intel, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, easy-to-use product with a no-code interface, SnapAttack enables you to get more from your technologies, more from your teams, and makes staying ahead of the threat not only possible but also achievable.
Schedule a demo today to see how you can finally answer the question, “Are we protected?” with confidence.
