Why Proactive Threat Hunting Is a Must for Agencies

As threats from nation-state actors persist, government agencies should consider this method for stronger cybersecurity.

LISTEN

Your browser doesn’t support HTML5 audio

Threat hunting is becoming more important than ever for government agencies as federal cybersecurity officials warn of threats that nation-state actors may pose to election systems this year. Evidence emerged last year that state-sponsored hacking groups had even breached agencies.

Government entities were the fourth-most targeted sector for “interactive intrusions” — threats in which actors use hands-on techniques to accomplish their objectives — in 2023, after the technology, telecommunications and financial services sectors, according to CrowdStrike's 2024 Global Threat Report. The artificial intelligence-powered threat intelligence company observed a 60 percent year-over-year increase in the number of interactive intrusion campaigns, with a 73 percent increase in the second half of 2023 compared with 2022.

Such threat activity underscores the need for agencies and other organizations to continuously hunt for threats, because malicious actors aren’t standing still. Threat actors operate in different time zones, use new techniques if old ones don’t work and are always looking for vulnerabilities, says Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike.

“There’s continuously a threat actor on the other side of that encounter,” Meyers says. “And there’s no option but to be continuously engaging.”

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

How Threat Hunting Has Evolved

In 2015, David Bianco, now a staff security strategist at Splunk, created the Hunting Maturity Model, which classifies threat hunting as the “collective name for any manual or machine-assisted techniques used to detect security incidents.”

The model identifies three main factors to consider when judging an organization’s hunting ability: the quality of the data collected, the tools used to access and analyze the data, and the skills of the analysts who use that data and find incidents.

Threat hunting was once typically the responsibility of a seasoned veteran in the field, says Alex Pennino, head of Mandiant advance analysis at Google Cloud. However technological, intelligence and community improvements “have opened the door for analysts of all skill levels to contribute to threat hunting programs,” he adds.

In the past, threat hunters relied on homegrown solutions, which required manual collection, exportation and normalization of data. Today, threat hunting tools from cybersecurity vendors offer agencies robust capabilities out of the box, allowing for the quick collection and analysis of large amounts of data.

Threat hunters now have access to frontline intelligence that allows them to better understand their threat profile and tailor their threat hunting efforts to reduce real risk.”
Alex Pennino

Head of Mandiant Advance Analysis, Google Cloud

“Additionally, threat hunters now have access to frontline intelligence that allows them to better understand their threat profile and tailor their threat hunting efforts to reduce real risk,” Pennino says.

The biggest evolution in threat hunting came out of needing to manage large volumes of data, says Aaron Walker, research manager for government trust and resiliency strategy at IDC Government Insights.

“Automation now plays a huge role in ingesting SIEM, application, network and other data to identify those indicators to respond to and remediate threats,” Walker says. “For example, the automated threat hunting tools can spot a threat actor who has been hiding on an enterprise network for weeks based on behavior, really a needle in a haystack, and provide recommended actions to revoke access and assess nefarious activity.”

As threat hunting has evolved, the discipline has shifted to using AI technology to assist in threat detection, says Robert Higham, director of threat detection research at Secureworks.

DISCOVER: Agencies are interested in how zero trust applies to artificial intelligence.

“The goal is to use AI to help you find things that you wouldn’t have found if you weren’t proactively looking in your environment historically through your logs and your current configurations,” Higham says.

2024 Is the Year of Continuous, Managed and Proactive Threat Hunting

The main difference between a few years ago and today — and perhaps the drive for the rise in managed threat hunting — is that “threat actors are becoming increasingly sophisticated and are leveraging advances in technology to execute malicious campaigns at scale,” Pennino says.

“By using an external threat hunting service, organizations benefit from not only the highly specialized skill sets that threat hunters bring but also the lessons learned in the field that then can be quickly applied to their environment,” Pennino adds.

The Cybersecurity and Infrastructure Security Agency may provide managed hunting services for some agencies, for example, Meyers says.

Since different agencies may use different cybersecurity tools, CISA has in the past developed platforms such as EINSTEIN to provide a common set of capabilities for agencies. That system has intelligence fed into it from sensor networks that companies such as CrowdStrike maintain, Meyers says.

“You get these concepts of loops feeding into loops, with threat hunting from our OverWatch team, and they can feed what they’re finding up to the government agency, the managed service provider,” he adds.

Threat Hunting Is Part of a Balanced Cyber Resilience Strategy

Threat hunting is not a “nice to have” element of cyber resilience, Higham says. Some in the industry think that detection and prevention measures must be perfected before adding in threat hunting, but he wholly disagrees.

“You take that hunting maturity model and you say, ‘What data do I have? What could I find if I looked in that data?’” Higham says. “And then, if you can afford it, partner with someone to help you out.”

MORE FROM FEDTECH: Tech partnerships are an intelligence community priority.

Threat hunting is part of a balanced cyber-resilience strategy, “as it can act as a backstop to provide coverage against adversaries that are evading traditional detection mechanisms,” Pennino says.

Not every tool, tactic or procedure “is easily codified in high-fidelity logic that can be easily reviewed by analysts,” he adds. “The process of threat hunting inherently offers broader coverage for threats by casting a wider net in search of anomalous or malicious activity.”

Threat hunting gives agencies the ability to test their defense-in-depth strategies, which indicate when and where adversaries are in the attack lifecycle, Pennino says.

“This provides agencies insight into where additional investment may be needed within their cyber programs to best protect their assets,” he adds.

How Federal Agencies Should Approach Threat Hunting

Agencies should take advantage of resources provided by CISA and other agencies “because their IT budgets are so strained,” Walker says. 

“Agencies are expected to adopt threat hunting capabilities but weren’t provided with specified funding,” he adds. “Agencies should also look to their peers — including state, local and tribal entities who have received grant funding for threat hunting projects — and engage with the trusted partners that aided them in successfully implementing modern, continuous threat hunting programs.”

From a federal government perspective, the top threat actors are nation-states engaged in espionage, including China, Iran, Russia and North Korea, Meyers says.

Ideally, agencies would “leverage internal dedicated resources to conduct threat hunting across their organizations,” since such resources “possess unrivaled knowledge of the agency’s environment and can quickly recognize activity or behaviors that may be anomalous,” such as a remote access tool that is not approved or typically used, Pennino says.

LEARN MORE: These are the top cyberthreats facing agencies.

In reality, it is “almost always necessary to partner with an external organization that provides expertise in threat hunting,” he adds.

“These organizations can offer assessments to understand the current maturity of a threat program, training designed to upskill threat hunters and other areas of expertise that require specialized skill sets that do not always make sense to build in-house.”