Creating an effective threat hunting program is one of the top goals of security leaders when it comes to becoming more proactive and building active defenses. However, finding the right expertise for a hunt team remains a big challenge, with majority of the security leaders feeling the investigative capabilities and skills of their organizations are in need of improvement.
Even though the COVID-19 pandemic compelled a quick shift to remote work, security stepped up to the task. Three out of ten respondents indicated they only had a day or less to safeguard the remote workers of their company, according to a 2020 Cybersecurity Workforce Study from (ISC)2, the association of certified cybersecurity experts.
Now that operations have returned to the ‘new normal,’ which is very certain to involve a significant amount of remote work, security must adapt to a large number of workers who will continue to work remotely. This comprises a significant number of security analysts and other network security personnel.
This opens up a new front in the war on cybercrime – how can businesses ensure that threat hunters stay safe and don’t become a threat to the systems they are supposed to protect?
Remote threat hunting
For IT companies, remote security researchers were important. Organizations had been contracting out and deploying remote workers to deal with a dearth of threat analysts and other InfoSec skills even before the pandemic made working remotely a standard. According to a 2019 SANS report, nearly two-thirds of security operations centers outsource some component of cybersecurity, with penetration testing and threat intelligence being the most popular.
Remote work not only fills in for employee shortages, but it also adds a layer of security to an organization’s systems. Even before the pandemic, security work was frequently performed by individuals outside of the business setting, as no one wants the malware they are looking into to stay on their network for very long. Conducting cybersecurity work from a distant location offers the benefit of shielding company networks from malware that escapes sandboxes and spreads laterally through the network.
However, gathering threat intelligence and responding to incidents from vulnerable sites puts threat hunters at risk of being discovered by the very hackers they are tracking, posing legal, technical, and governance issues. Most cybersecurity experts are competent, but can they withstand a state-sponsored attack?
Attackers are growing more sophisticated, notably in their use of social engineering techniques, even when threat hunters work outside the enterprise network. It’s difficult to hide for threat analysts who work for Fortune 100 companies, key infrastructure, etc. Threat actors want to know who they are, so they will employ social engineering to find out and try to break into their company’s network, especially if the network contains critical information or assets.
However, in order to be safe, those threat intelligence artifacts must be examined in environments outside of the enterprise’s control, which can pose compliance and legal problems. The fear of bad actors doxing good guys isn’t the only one.
If malware investigations are not conducted in accordance with regulations, the organization may face legal implications. When a company is hacked, for instance, management must report the incident to law enforcement and maybe insurers, and they will want a forensic trail of who knew what and when.
Meanwhile, threat hunting must be handled in a secure, shared services environment that enables for malware research, deployment, and tool integration as a matter of tradecraft. Threat hunters will lose their capacity to trace a malware’s source and activity, as well as protect against it, if an opponent knows their software is being examined. To keep their competitive edge, security researchers must keep bad actors in the dark about what they’ve discovered and what they’re working on.
Companies cannot afford to take the risk of having employees create their own work environments. It must be done in a secure location where threat hunters can effectively communicate in an obfuscated environment that is not linked to the parent company.
A secure sandbox
To satisfy legal and governance obligations, threat hunting must be non-attributable while retaining a clear audit trail. Meanwhile, in the face of increasing oversight and concerns about cybersecurity, enterprises must maintain control over settings where malware research is taking place in order to meet compliance requirements. Threat hunters can continue their job in a safe, disguised sandbox that poses no legal or security threats to the enterprise.
For more such updates follow us on Google News ITsecuritywire News.