If you lived in a climate with lots of mosquitos, gnats, and crawly things, your house could easily be overrun with pests. Where would you start to get rid of them? You could buy a fly swatter and start swinging away. But would you be able to swat fast enough to get ahead? Maybe, maybe not. Either way, it doesn’t yet make sense to start using your fly swatter at this point.
The best approach is to cover preventive measures first; close the doors, screen the windows, and caulk the cracks. You could also create an air-gapped entry allowing you to kill the bugs that are on you to prevent them from hitchhiking into your living quarters. No matter how creative and thorough your preventive measures are, it is still possible, if not likely, that a few bugs will breach your defenses and invade your living area. That is when using a fly swatter makes sense - and it’s time to go hunting.
Case in point, I have a colleague who is allergic to mosquitos. She needs to be able to find any mosquitos in her house to reduce her chances of getting bitten. While she has preventive measures in place, she needs a way to quickly find or trap any mosquitos in her house. And in her case, maybe she doesn’t want to use a fly swatter, she wants the best possible tools to zap them away.
The importance of preventive measures
The parallel to IT security threat hunting may be obvious, but it is worth discussing because controlling pests is most effective when preventive measures are in place. In security, too, the goal is to eliminate threats, not to hunt for them. Hunting isn’t cost-effective unless strong preventive controls are in place and operating effectively.
What should be in place before tackling threat hunting? The Center for Internet Security’s (CIS) Critical Security Controls (CSC) provide excellent guidance. The CSC is a prioritized list of the top twenty technical controls focused “on the most fundamental and valuable actions that every organization should take.”
The first five controls are essential, and the CIS refers to them as “Foundational Cyber Hygiene.” Here’s how Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) can help you address the five highest priority controls:
- CSC1: Inventory of Authorized and Unauthorized Devices. Tenable provides multiple ways to inventory devices, including active discovery scans, intelligent connectors to third-party Configuration Management Database and Mobile Device Management systems, passive network listening, and host data from network devices.
- CSC2: Inventory of Authorized and Unauthorized Software. Similar to inventorying hardware, Tenable inventories software using active discovery scans, intelligent connectors to third-party systems, and passive network listening.
- CSC3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Tenable audit files support multiple standards to audit configuration conformance for a wide range of systems.
- CSC4: Continuous Vulnerability Assessment and Remediation. Tenable offers industry leading active and agent-based vulnerability assessment. Passive listening supplements periodic scans with continuous vulnerability assessment to remove the blind spots between scans.
- CSC5: Controlled Use of Administrative Privileges. Tenable can test for the presence of accounts that should not be on a system and can test servers to ensure they are configured with the proper level of access control, including detecting servers that have not been locked down to a least level of privilege.
Time to hunt
SecurityCenter CV continuously monitors your systems and network, looking for and prioritizing anomalous or suspicious activity that needs investigation
After at least these five preventive controls are in place to protect your environment, you are ready to start hunting for threats. SecurityCenter CV continuously monitors your systems and network, looking for and prioritizing anomalous or suspicious activity that needs investigation. SecurityCenter CV dashboards speed your investigation by putting contextual information at your fingertips so you can quickly take action. For example, you could use the Detect Suspicious Activity dashboard shown below as a starting place. The most suspicious activity is highlighted in red, and you can click each red item to drill in and investigate.
Speaking of drilling in and investigating, we recently added a demo video to the Threat Hunting solutions page on our website. Please take three minutes to learn how SecurityCenter CV can help you identify malicious processes. Also, if your haven’t already done so, check out Tony Bradley’s blog post Finding Threats on Your Network: Hunt or Be Hunted and Elizabeth Gossell’s blog post Threat Hunting 101: Taming Your Data.