Should Threat Hunting Be a Standards Requirement?
As part of some recent research, I was looking at which security standards and attestations require regular threat hunts. Imagine my surprise when I could not find any. In this blog entry, I will discuss why this is a huge oversight, and why threat hunting needs to become part of our security DNA.
Why We Have Security Standards
Cyber security standards are created to help keep our computer networks secure. They define a set of best practices that are designed to maintain the integrity of our data and the hardware that hosts it. Security standards usually cover everything from physical security to encryption. Some, like System and Organization Controls (SOC), are extremely broad in their requirements. Others, like PCI DSS, are extremely specific in the controls to be used and exactly how they should be implemented. For example, SOC requires organizations to implement some form of access control. PCI DSS specifies very specific password controls and when 2-factor needs to be used.
How Standards Address Successful Attacks
A majority of the controls defined in security standards are designed to mitigate the possibility of attack. For example, they may define how to configure the perimeter so that evil traffic cannot find its way in. They may focus on user education programs so that employees are less likely to fall for social engineering attacks. They even focus on processes to help ensure that all of these security layers are maintained properly.
When it comes to mitigating successful attacks, however, standards bring little to the table. They tend to focus on three key areas:
- Antivirus or malware control software
- Intrusion detection or prevention
- Log review
Note that these are detection, rather than validation technologies. In other words, antivirus software attempts to detect malware as it lands on a host. It provides no response if the malware drop is successful. Further, relying on antivirus software assumes that the system being infected is actually running the software. Most Macs, Linux, IoT, and hardware devices operate with no antivirus solution.
Pentesting Versus Threat Hunting
Vulnerability scanning and pentesting are popular security standards requirements. As an example, PCI DSS calls out both as requirements. Control 11.2 requires quarterly vulnerability scanning while control 11.3 requires quarterly pentesting. Both are designed to identify weak points in your security posture that attackers may leverage to achieve elevated access.
However, consider the process that is implemented when a vulnerability scan or pentest finds a weakness. We simply patch or change the configuration so that the vulnerability is no longer accessible, and move on with our day. In other words, when it is identified that a vulnerability existed and was exposed to the Internet, PCI DSS, or any other security standard for that matter, does not require a deeper investigation to see if the vulnerability was exploited.
The Gaping Hole Filled By Threat Hunting
As you can see, our security standards go to great lengths to help identify the layers of a secure posture but do very little to validate that the required controls have actually been effective. This is why we have seen numerous companies receive their security attestations at the exact same time an active compromise was taking place. As an analogy, imagine certifying a bank as “secure” because you checked the locks and perimeter cameras, but never bothered to look in the vault to see if any criminals are actively emptying all of the strongboxes.
By threat hunting your network, you are performing the ultimate validation test of your network’s security. It does not matter if an auditor can check all of the boxes next to a list of required attestation controls. If intruders are on your systems, one or more of those controls have failed. If the goal of an audit is to validate the integrity of a network, threat hunting provides the ultimate confirmation of whether that goal has been achieved.
If you are one of the many folks involved with maintaining our security standards, it’s time to add threat hunting to the list of control requirements.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.