Proactive Managed Threat Hunting – Why Forewarned is ForearmedThreat hunts can proactively identify compromises and discover malicious activity not detected by automated tools, enabling organizations to mitigate threats before they have a substantial and costly impact. By: Barry Hensley, Secureworks Chief Threat Intelligence Officer
Nobody enjoys unpleasant surprises. That’s particularly true when the surprise is discovering that threat actors have snuck past your organizational cyber defenses. But it’s far better to experience that surprise when you still have time to prevent its effects from being truly catastrophic.
I was strongly reminded of that when I saw some metrics from the threat hunting assessments we’ve performed for our customers so far this year. The following are some of the things we discovered from those threat hunts:
- 53% of customers had remnants of malware infections on their systems that had not been remediated
- 30% had commodity malware on their systems that hadn’t been detected
- 87% were running improper account configurations, such as using default administrator accounts, weak passwords, shared accounts, and worse
- 87% had inadequate security controls
- 57% had employees who were deliberately bypassing existing controls
- 17% needed immediate incident response assistance because of previously undetected acute threat activity in their environment, 75% of which were pre-ransomware indicators.
I’m sure that all of these customers were unpleasantly surprised by these findings. Many were one or two steps from the sort of surprise that could have cost them millions of dollars in disruption, downtime, and remediation. And let’s not forget that those are just the customers who have requested a threat hunt. The unpleasant surprise ratio could be considerably higher for those who haven’t yet done so.
Toward the end of 2021, we still find ourselves in a world where remote working continues to be a necessity for many, where ransomware groups grow increasingly blatant in their activities, and where the move to the cloud has provided new security challenges. The number of zero-day vulnerabilities this year has far exceeded previous totals. Threat actors of all types are able to take advantage of publicly available tools like Cobalt Strike to compromise their victims. It all adds up to increased risk.
Where organizations are going through additional stressors, the risks can be even greater. These stressors can be periods of change or flux in their environment, mergers and acquisitions, new business partnerships with inter-system connectivity, new customers with a different geopolitical footprint than their own, or moving into new markets or locations.
We know that organizations are working hard to reduce their risk and to defend themselves against these threats. Yet our findings show that many do not have the right prevention and detection tools in place to catch these threats. A continued reliance on network detection rather than endpoint and cloud monitoring and detection hampers their abilities to detect the threat and respond appropriately. An essential part of changing to a more effective security posture is starting from a clean slate. There’s no point in double locking the doors when the attacker is already inside.
In October, we described how to plan a threat hunt. However, we recognize that for many of our customers, threat hunting at the level, depth, and frequency that they need is a huge challenge. That’s why we’ve launched Secureworks® Taegis™ ManagedXDR Elite, our premium MDR service that offers proactive managed threat hunting to identify threats that bypass traditional detection. It leverages the deep scanning and analytics of the Taegis platform, and a designated threat hunter serves as an extension of a customer’s security team.
When it comes to preventing security threat, forewarned really is forearmed. Proactive managed threat hunting stops unpleasant surprises from becoming catastrophic ones.
Learn more about risks to organizations in the 2021 State of the Threat report.