External Threat Management Analyst

What 10,000 Analysts Showed Us About the State of Threat Hunting

Cybersecurity has gotten pretty tough lately. Today's teams contend with an ever-growing IT ecosystem accelerated by critical digital transformation efforts and moving workforces into remote environments. At the same time, they're managing a rapidly evolving threat landscape composed of both sophisticated nation-state actors and a crush of low-level criminals armed with off-the-shelf crimeware. All told, cybercrime now costs organizations a whopping $1,797,945 per minute. 

As cyberthreats increase, security analysts are our first line of defense. Their skills, know-how, and passion for their work meet attackers head-on. Unfortunately, these analysts often lack the resources, technology, and latest techniques to defeat them. 

Since 2018, RiskIQ has led a successful global cyberthreat workshop program with the singular goal of educating cybersecurity practitioners and equipping them with the skills and tools they need to defend their organizations against this new era of threats. In 2020 alone, we issued over 3,000 CPE credits to thousands of analysts worldwide, with thousands more watching on-demand sessions. 

Benjamin Powell, RiskIQ's Sr. Product Marketing Manager, has personally led more than 200 workshops across the United States, Europe, Asia, and the middle east. Benjamin has interacted with countless practitioners while demonstrating next-gen threat hunting techniques and hands-on exercises focusing on cyberattackers' latest tools and tactics. Over the years, he's learned the most significant challenges analysts face in keeping their organization's unique attack surfaces safe.  

After speaking with thousands of analysts, here are the top five things Benjamin wants all threat hunters and incident responders to know.

1. You may not realize just how much data is out there.

Seasoned threat researchers are handy with WHOIS and Passive DNS, but many haven't kept up with newly available data types. Traditional data sets still serve a purpose, but threat actors can work around them by quickly switching up their infrastructure. 

With WHOIS becoming significantly less useful to build out threat investigations, especially with restrictions brought about by the GDPR, threat analysts must rely more frequently on other internet data sets as part of their digital tool belt. RiskIQ has made it a core part of our business to collect and correlate as much relevant Internet data as possible to advance threat investigations past the limits of WHOIS and PDNS. 

Currently, our Internet Intelligence Graph, which has mapped the billions of relationships among internet components, contains eleven data sets beyond WHOIS information, including passive DNS, SSL certificates, hosts and subdomains, OSINT, host pairs, and trackers. These data sets often surface more information or connections that would have otherwise gone unnoticed and could hold the key to blowing open an investigation.

2. Security Researchers Often Lack the Full Picture

Security researchers often write articles that lack the full depth of an incident or threat group because they can't chain together the full extent of the threat infrastructure involved. When it's published, what is known about the threat actor is burned, and they can quickly adapt before researchers can surface anything else about them. 

However, with deeper data sets, like those mentioned above, analysts can root out the full extent of threat infrastructure, even as its operators attempt to evade them. This next-gen threat hunting gathers and contextualizes the "signals," or pieces of information generated from performing any action over the wire, that threat actors leave behind. When collected and contextualized, they become actionable intelligence that leaves adversaries far fewer places to hide.  

Suppose an analyst loses an attacker's trail using PDNS. They can then turn to other signals. For example, surfacing a unique cookie that's embedded within multiple hosts used by a threat actor keeps the investigation going so new leads can arise.

3. The Cyberthreat Landscape moves quickly, but learning from history—and your teammates—is crucial. 

With today's cybersecurity skills and personnel shortage, analysts can be so inundated with new incidents that they can't go back and re-examine old investigations. However, threat infrastructure is often reused and recycled, and indicators of compromise (IOCs) in old incidents can unlock leads in new investigations. 

Threat actor TTPs can also be vital clues, creating connections between seemingly disparate attacks to point at a particular threat actor or threat group. For example, our researchers recently linked a new skimming attack to a known Magecart group because of its unique features. 

With curated projects or records, analysts can quickly access IOCs and cyberthreat intelligence and find new indicators associated with an attack or threat actor that the team has already surfaced.

4. Silos can be devastating

In organizations worldwide, silos are one of the biggest obstacles in responding to security incidents quickly and efficiently. A dangerous gap between breach and response causes different teams not to share data, preventing them from reacting swiftly and decisively to a security incident. 

However, cooperation, coordination, and information sharing aren't just crucial between analysts on the security team; it's also imperative between teams across the organization. For example, marketing may spin up tracking cookies outside the purview of the security team, or the security team may not be aware of vulnerabilities tracked by risk and compliance. With feeds showing vulnerabilities and where they lie across an organization, teams can stay ahead of early-stage vulnerabilities and threats to speed up remediation with risk-based priorities for what's relevant, preventing downtime and wasted effort by focusing on critical exposures.

5. Knowledge is Power

The rapid growth of internet-exposed assets has dramatically broadened the spectrum of threats and vulnerabilities affecting the average organization. Sophisticated APTs and petty cybercriminals alike threaten businesses' safety, targeting their data, brand, intellectual property, systems, and people. 

Relevant, actionable threat intelligence and the tools and techniques to use it give security teams line-of-sight to attackers and threat systems and infrastructure. Successfully defending your organization starts with hard observations from the internet, including attackers, enterprises, and third parties. These infrastructure connections illuminate the entire internet and provide a 360-degree view of your organization's attack surface and the knowledge to respond to threats quickly, decisively, and in concert across your organization. 

Get Started

To bring your investigations to the next level and tap into next-gen security intelligence, join the RiskIQ Community today. Also, join us for a cyber threat workshop as we explore the five core areas of Security Intelligence over the next several months.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor