Why Threat Hunting should be a Security Standards Requirement
Threat hunting has become an accepted layer in our overall security posture. I recently reviewed a number of security standards commonly implemented by commercial organizations and was surprised to find that none of them required threat hunting as part of their controls. This includes PCI DSS, which just released new standards in March of 2022! In this blog entry I will discuss why this is a huge oversight, and why threat hunting needs to become part of the security posture of every organization.
Why We Have Security Standards
Cyber security standards are created to help keep our computer networks secure. They define a set of best practices that are designed to maintain the integrity of our data and the hardware that hosts it. Security standards usually cover everything from physical security to encryption. Some, like System and Organization Controls (SOC), are extremely broad in their requirements. Others, like PCI DSS, are extremely specific in the controls to be used and exactly how they should be implemented. For example SOC requires organizations to implement some form of access control. PCI DSS specifies very specific password controls and when 2-factor needs to be used.
How Standards Address Successful Attacks
A majority of the controls defined in security standards are designed to mitigate the possibility of attack. For example they may define how to configure the perimeter so that evil traffic cannot find its way in. They may focus on user education programs so employees are less likely to fall for social engineering attacks. They even focus on processes to help ensure that all of these security layers are maintained properly.
When it comes to mitigating successful attacks, however, standards bring little to the table. They tend to focus on three key areas:
- Antivirus or malware control software
- Intrusion detection or prevention
- Log review
Note that these are detection, rather than validation technologies. In other words, antivirus software attempts to detect malware as it lands on a host. It provides no response if the malware drop is successful. Further, relying on antivirus software assumes that the system being infected is actually running the software. Most Macs, Linux, IoT and hardware devices operate with no antivirus solution.
Pentesting Versus Threat Hunting
Vulnerability scanning and pentesting are popular security standards requirements. As an example, PCI DSS calls out both as requirements. Control 11.2 requires quarterly vulnerability scanning while control 11.3 requires quarterly pentesting. Both are designed to identify weak points in your security posture that attackers may leverage to achieve elevated access.
However, consider the process that is implemented when a vulnerability scan or pentest finds a weakness. We simply patch or change the configuration so that the vulnerability is no longer accessible, and move on with our day. In other words, when it is identified that a vulnerability existed and was exposed to the Internet, PCI DSS, or any other security standard for that matter, does not require a deeper investigation to see if the vulnerability was exploited.
The Gaping Hole Filled By Threat Hunting
As you can see, our security standards go to great lengths to help identify the layers of a secure posture, but do very little to validate that the required controls have actually been effective. This is why we have seen numerous companies receive their security attestations at the exact same time an active compromise was taking place. As an analogy, imagine certifying a bank as “secure” because you checked the locks and perimeter cameras, but never bothered to look in the vault to see if any criminals are actively emptying all of the strongboxes.
By threat hunting your network, you are performing the ultimate validation test of your network’s security. It does not matter if an auditor can check all of the boxes next to a list of required attestation controls. If intruders are on your systems, one or more of those controls have failed. If the goal of an audit is to validate the integrity of a network, threat hunting provides the ultimate confirmation of whether that goal has been achieved.
If you are one of the many folks involved with maintaining our security standards, it’s time to add threat hunting to the list of control requirements.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.