“You’re looking for the bad guys, the tracks they leave and their mistakes, and you’re also trying to predict where they’re headed, so it’s thinking like a Columbo — always asking the questions,” says Kevin Bocek, strategist at Venafi, a cyber security business.
In the digital world of cyber crime, it might seem odd to refer to a now old-fashioned figure such as Columbo, the bumbling and disheveled TV detective known for his crumpled raincoat and half-finished cigar who was always asking suspects “Just one more thing”.
But as security experts battle the increasingly sophisticated methods of today’s hackers, experts say that the police lieutenant’s human investigative skills and insight are as important as software, data analysis and artificial intelligence in fighting crime.
The technique of cyber hunting, in which technology and human insights are used to identify potential threats, takes a different approach to traditional cyber security. This strategy has focused on detecting intrusions and blocking entry to hackers through such means as firewalls and antivirus and intrusion detection software.
“That’s what we call that the ‘known bad’ model,” says Jason Matlof, chief marketing officer of LightCyber, another supplier of digital security services.
“Those systems are trying to keep up with the latest attack threats, but they can never be fully up to date because of the dynamic changes going on in the hacking world,” he says.
Rather than designing security measures based on existing or past breaches, threat hunters focus on identifying emerging attacks or signs of a potential compromise to a system’s dependability.
Driving demand for this approach is the fact that each advance in technology creates a hacking opportunity — from data storage on remotely hosted servers to devices equipped with processors, software and web-enabled sensors that can capture and transmit data as part of the so-called internet of things.
“You have growing complexity and the bad guys are getting better and better at hiding their tracks,” says Mr Bocek.
Hackers can now even breach encrypted data, which Mr Bocek says now represents more than 50 per cent of internet traffic.
This is problematic for companies since most of the tools used to detect cyber threats cannot inspect encrypted data. But threat hunting enables analysts to detect hackers who might be present on a system for several months while working out which servers, databases and accounts they need to control in order to prosecute their attack, known as “dwell time”.
By actively looking for anomalies in IT networks, threat hunters can identify these potential breaches before an attack has been launched.
But this requires companies to know their systems and what constitutes normal activity well, known as “situational awareness”.
“That allows you to detect that there’s something new going on,” says Hardik Modi, vice-president of threat research at Fidelis Cybersecurity, another security service provider.
“Along with that, you need forensic information that allows you to investigate these anomalies,” says Mr Modi. “That’s the hunting aspect of this.”
Mr Modi and others say that, while computers can analyse vast volumes of data, the human element is critical. Experts needed to assess deviations from the norm and investigate whether they are potential breaches.
Mr Bocek agrees. “The human brain can’t process the gigabytes of data but it can ask the right questions and it knows what doesn’t look right and how the machine can be fooled.”
For many companies, however, the resources needed for threat hunting — from software to data scientists and certified security analysts — are too costly and consume too much time.
“A threat hunter needs to have built up a strong sense of intuition and expert judgment about the distinguishing features of attackers,” says Eli Jellenc, vice-president of threat intelligence at Stroz Friedberg, a cyber security consultancy. “And there’s no replacement for that experience.”
With an eye on increasing demand for threat hunting, companies are coming up with new products. LightCyber’s behavioural attack detection products, for example, help companies to identify advanced or targeted attacks, insider threats and malware — malicious programs that have infected computers — that may have already circumvented traditional security controls.
Gartner, an industry research company, estimates that half of medium-sized and large organisations will add more advanced inspection features to their network firewalls by 2019. But while much attention is focused on threat hunting, Mr Jellenc stresses it is not the only answer.
“There is no silver bullet that can protect an organisation against 100 per cent of cyber attacks,” he says. “Threat hunting should be seen as only one important element in an organisation’s overall holistic security strategy.”