In our current cybersecurity landscape, threat hunting is often seen as the most proactive practice organizations can perform to protect themselves against cyberattacks. But why simply hunt the threats when you can stop them? In this blog, we talk both threat stopping (also known as network detection and response) and threat hunting – the definitions, the benefits, and why the edge goes to the former.
Sophisticated and Targeted. These are the two words being used to describe nearly every massive cyberattack we’ve seen in the news. And, while the idea of a “sophisticated” cyberattack might differ depending on who you ask, there’s no denying that overall, the cybersecurity attack surface keeps expanding while network security visibility becomes more limited. We’re now at a point where we not only have “known unknowns” – the threats our industry knows we don’t know about – but also “unknown unknowns” – the threats that haven’t even been developed yet, but could make their entrance at any given moment.
With this in mind, many organizations have turned to cyber threat hunting as a way to actively seek out and investigate those unknown threats rather than relying on the protection of typical threat detection systems, which are often used to prevent known network security attacks. However, as cyberattacks continue to increase in size, scope, and sophistication – organizations are looking to be even more proactive. They’re looking to stop threats through network detection and response (NDR) – not simply hunt them.
What’s the variation between these two practices, and how do organizations determine which one is right for them? Here’s our breakdown – and our thoughts on why the IT security industry needs to shift to threat stopping. If we want to collectively stay ahead of the next iteration of cyberattacks and data breach, we need to modernize the rules of the cyber security game.
What is threat stopping?
Threat stopping – also known as network detection and response (NDR), is a network security solution that provides full cybersecurity visibility for both known and unknown threats to an organization’s network. NDR solutions use machine learning to constantly inspect and analyze traffic (north/south and east/west) and build a model (playbook) to reflect that network’s typical behavior.
When these playbook platforms detect suspicious activity, they immediately inform a network team of the threat event’s scope and severity, suggesting a course of action to remediate the threat, and send an automatic response(s) to stop a threat before it infiltrates or exfiltrates the network.
What are the benefits of threat stopping?
There are several key benefits to threat stopping. NDR solutions help organizations improve their network security visibility – making it possible to spot both known and unknown threats on an attack surface. And once those threats are seen and “hunted” down, NDR tools take it a step further by responding to the threat in minutes or hours.
It’s these automatic responses that can save SOCs time and money, specifically in terms of finding additional highly skilled cybersecurity talent. An NDR tool – especially when integrated with security orchestration, automation and response (SOAR) technology, can act as the ongoing operational component of enterprise network security, including real-time risk awareness, reaction, and reporting factors. For these reasons, it reduces the financial burden on an SOC and creates a more fluid and instantaneous way to stop, contain, and prevent cyberattacks.
What are the benefits of CloudCover’s threat stopping?
If our industry wants to limit the number of sophisticated and targeted cyberattacks in real time, we must continue to shift to the next era of AI/ML network security solutions – threat stopping through network detection and response tools that accurately identify and proactively stop security threats at microsecond speeds like CyberSafety CC/B1 Platform™.
The CC/B1 employs advanced mathematics utilizing deep packet inspection, continuous machine learning, and predictive risk analysis – delivering attack surface management and real-time threat response with 99.9999999% accuracy.
What is threat hunting, and how does it differ from threat stopping?
As we discuss above, threat stopping provides visibility for known and unknown threats by using machine learning to establish a playbook to detect, remediate, and automatically respond to suspicious activity.
Threat hunting, on the other hand, assumes malicious actors are already present in an organization’s network – and it monitors traffic across the network, investigating possible anomalies or unusual behavior that might lead to new or never-before-seen threats. The goal is to find those activities before a full-blown data breach occurs. This idea of “assuming a breach” might sound a little strange – until you consider that attackers might be hiding out undetected in the network for days, weeks and even months.
Threat hunting is a step above threat detection, which is more interested in passive inspection of the network for threats already recognized. With threat detection, an alert is created when the tool determines a match utilizing a database-driven playbook – and a human will then step in to determine next steps.
There are several approaches to a threat hunting investigation:
- Hypothesis-driven: These investigations are often triggered after a new threat has been identified through a large pool of crowd-sourced data. Investigators will look for signs of an attacker’s TTP – tactics, techniques, and procedures – and will examine their own networks for signs of identical behavior.
- IOC- or IOA-driven: An indicator of compromise, or IOC, is evidence that indicates network security has been breached. When you find an IOC, it’s a safe assumption that your network has already been compromised. In contrast, an indicator of attack (IOA) focuses more on detecting the intent of what an attacker is trying to accomplish, regardless of the tactic they’re using. Both of these indicators can be cataloged and used to uncover new, unknown cyber security attacks.
- Data analysis and machine learning: Machine learning is based on the premise that systems can learn from data, identify patterns, and make decisions with minimal human intervention, and threat hunters apply this capability to networks in an effort to identify suspicious activities that warrant a follow-up.
Threat hunting is popular in cybersecurity because it utilizes human intervention. There is a human tangible component – a seasoned threat hunter is equal parts “technical and investigative” – and as they gain experience with an organization’s network, their actual knowledge of the landscape continues to learn and grow, which means investigation is improved and it becomes easier to detect suspicious activity.
What are the downfalls of threat hunting?
On paper, it can be tough to see the obstacles associated with threat hunting. Proactively identifying unknown threats and stopping data breaches is incredibly important. However, regardless of the approach taken during a threat hunting investigation, it still requires human interaction – in an industry that’s in need of approximately three million workers.
Keeping a security operations center (SOC) properly staffed and/or avoiding cyber fatigue is already a challenge due to the ongoing cybersecurity workforce gap – which makes it even harder to find threat hunting expertise. Because of this, many organizations opt to use managed services and threat hunting platforms for more affordable, around-the-clock monitoring – but human threat hunters are still needed.
In addition, there are very few guidelines when it comes to cyber threat hunting approaches. For it to be successful, threat hunting needs to be a continuous process – one that has clear goals and is well-structured, not something that’s done every so often when an SOC has time.
Because of the level of human interaction involved, it’s clear that threat hunting is good – but threat stopping is better. Our CyberSafety CC/B1 Platform detects and stops threats in real time as an extended network detection and response (X/NDR) technology, helping data-rich organizations of all industries and sizes enjoy proactive cybersecurity and cyber safety.
Learn more about CC/B1 by visiting: cloudcover.cc/cybersafety-platform/
