The chances are very high that hidden threats are already in your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged.
Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity. Prevention systems and tools help reduce opportunities for adversaries and enable analysts to operate more effectively. The key, however, is to constantly look for attacks that get past security systems and to catch intrusions in progress rather than after attackers have completed their objectives and done worse damage to the business. This process is referred to as “cyber threat hunting.” Many organizations today do some type of formal or informal hunting. For example, rather than waiting for the “you’ve been breached” notification, they are intermittently or constantly searching through their own networks for evidence of threat activity.
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program