3 Trends in Successful Threat Hunting Across Networks in a Multi-Cloud World
By William Toll, Sr. Director, Product Marketing
Threat hunting programs are evolving quickly, and teams are increasingly facing visibility gaps from all of the new multi-cloud, edge, IoT, and OT environments. At the same time, today’s threats are increasingly exploiting these gaps, as attackers know that Atomized Networks are dispersed, ephemeral, encrypted, and diverse.
In summary, the rapid expansion of deployment models and zero-trust programs is in many cases, moving faster than legacy network visibility vendors and architectures.
Threat hunting teams that are monitoring new indicators of compromise (IoCs) and hunting for them in real-time across all networks are struggling to detect them and prevent security incidents. And the attackers are using tactics and techniques to hide in the gaps. It’s making it almost impossible to implement a strong proactive program of threat hunting and detection that follows the tactics, techniques, and procedures (TTPs) used by today’s threat actors.
Without gap-free visibility, threat hunting teams are often forced to perform numerous pivots and make assumptions for missing traffic data from system to system. While teams with gap-free visibility are able to have more successful threat hunting programs and provide updates to the organization’s security policies, controls, and tools, thus shielding their organization from future attacks.
Greater collaboration across organizations
Increasingly threat hunters are seeing the value in helping their colleagues in the SOC, to collaborate more with the CloudOps and networking teams. They are starting with a hypothesis of the known TTPs that are being used and alerting these teams to where there are visibility gaps and a lack of detections.
This more risk-based threat-hunting team combines asset, surface, application, and network visibility to provide some indication of risk ranking based on early indicators of risk. This provides support for the “shift-left” movement, where development teams and DevSecOps programs are improving the organizations’ ability to protect applications and their updates before they are pushed to production. This movement is bringing the SOC closer to CloudOps, application development, and DevSecOps teams.
At the same time, matching these visibility gaps with common TTPs enable their SOC colleagues to implement playbooks to drive more effective detection, response, and mitigation programs around these gaps.
Greater visibility of east-west traffic
Most teams find it difficult to detect an attacker moving east-west due to telemetry, decryption, visibility gaps, and logging issues. Many teams are hampered by organizational network ownership challenges, data silos, and massive network volume.
This same spirit of collaboration is being used to provide support for better visibility of east-west traffic. Threat hunters love having gap-free visibility of network data across an organization’s entire estate. After all, IP addresses on the source or destination ends of a TCP connection can not be spoofed, and attackers are unable to hide as they traverse networks.
Many SOC and Cloud architects are building new applications and networks with the ability to have the east-west traffic visibility baked in. Enabling threat hunters with gap-free real-time visibility into east-west traffic can reduce time to detection and greatly reduce risk. Great teams encourage this modern collaboration that squashes the silos between teams.
Less pivoting and more normalization and enrichment As network visibility and control platforms become more powerful and gap-free and access is granted to SOC, CloudOps, and NetOps teams, there is more awareness of the need for normalization and context. Enrichment is more valuable and trusted when it comes from consistent sources and is presented in consistent ways. Teams realize that the old mantra of deep packet inspection, encryption, and dozens of sensors and appliances deployed across on-premises, hybrid, multi-cloud, edge, IoT, and OT environments is holding them back from a modern threat hunting program.
Platforms like Netography Fusion provide a single portal that provides a unified view of all data across the entire ecosystem, enriched with security and business context to provide a complete picture of what’s happening so users can pinpoint malicious activity, monitor for compliance, and hunt threats.