A Threat Intelligence Approach Versus a Threat Hunting Approach to Cybersecurity

Have you ever tried three-dimensional chess? It is very hard to play and even harder to win. Cybersecurity is like that. In cybersecurity, it is no secret that the threat actors are usually one step ahead of the countermeasures devised to thwart and defeat them. There are more than 50,000 active types of malware available to threat actors and this repository keeps growing, notwithstanding recent news about open-source countermeasures or decryptors. The sad fact is, that the bad guys are almost always ahead of the good guys in the cybersecurity realm.

It is for that reason that it is pertinent to evaluate a ‘Threat Intelligence’ approach versus a ‘Threat Hunting’ approach to securing your company. We are advocating a threat hunting approach, albeit one that uses threat intelligence as well. We believe that threat intelligence and Artificial Intelligence (AI) alone, are not sufficient to defeat advanced threats, particularly as the bad guys are now themselves using AI in their attacks. Trying to keep up with the bad guys is a bit of a losing proposition.

Let’s evaluate traditional threat intelligence against threat hunting to see whether there is a better approach.

A threat intelligence approach is one where you are seeking to anticipate and prevent threats using a vast pool of threat intelligence that is used as a baseline of knowledge of threats and extrapolate from these using Artificial Intelligence (AI) and Machine Learning (ML) to add context and behaviors to look for Indicators of Attack (IoA) in real-time or near-real-time. By using this algorithmic approach, one would expect to prevent and/or detect a large proportion of the threats…. however, you will not detect or prevent all threats as the bad guys are continuously evolving their threats to bypass the threat intelligence based cyber defenses. It is very hard to keep up with the constantly evolving threat landscape.

In simple terms, the odds are stacked against you in detecting and preventing the most advanced threats when using an AI-based algorithmic threat intelligence approach alone. The threat actors are themselves cybersecurity experts and they purchase or try out most common cybersecurity defense products to find ways to neutralize them or bypass them in a virtual machine and then, only when they are sure their malware payloads will bypass the defenses, will they launch a sophisticated attack. These sophisticated attacks comprise about 5 to 10% of all attacks and mostly they successfully bypass threat intelligence, AI-based defenses. That’s why we continuously hear of big cybersecurity companies being breached. With a threat intelligence approach, a major flaw in the approach is that, if it is not known to be bad or suspicious, it is assumed to be OK…that is not a true ‘Zero Trust’ approach.

A threat hunting approach is different. OmniSecuritas have partnered with CYDEF (www.cydef.ca) an innovative Canadian cybersecurity company with a unique, patented, threat hunting approach to cybersecurity. CYDEF has a methodology that turns traditional cyber defense on its head: by focusing on what constitutes a normal, expected baseline of activities and behaviors, then investigating all derivatives from that baseline.  CYDEF’s world-class managed detection and response cybersecurity product is called SMART-MONITOR. Smart-Monitor is enabled by Artificial Intelligence (AI) and Machine Learning (ML) and has several patents.  CYDEF’s Smart-Monitor uses human threat hunters, combined with AI and ML, to find the most advanced threats, and neutralize them.  This next generation Endpoint Detection and Response (EDR) provides companies with the visibility into what’s happening on their endpoints so they can feel secure doing business online.

When you combine an innovative threat hunting approach that baselines good, normal behavior and then focuses on everything that is not known to be good activities with threat intelligence databases, you get a powerful, effective solution. Yes, Smart-Monitor uses threat intelligence, just like the large cybersecurity companies, however we have added powerful tools to enable human threat hunters to review thousands of logs, baselining normal activities, with a focus on exceptions. This approach is a true ‘Zero Trust’ approach which yields almost no false positives and which catches sophisticated threats that have bypassed the firewall, Anti-Virus (AV) and automated, algorithmic, threat intelligence-based solutions. Human threat hunters are built-in to our methodology and the AI is used to remove good, normal expected activities from the analysis to allow the human-in-the-loop to focus on the exceptions. Machine Learning (ML) then is used to build up a compendium of known good, normal activities, thereby making Smart-Monitor smarter over time.

When trying to play three-dimensional chess against sophisticated threat actors, there is no AI more powerful than the human brain that has intuition, cultural contextual knowledge, understands subtlety, and has good old-fashioned skepticism to uncover anomalies and investigate them. When you provide human threat hunters with powerful tools and information (rather than data), you are onto a winning approach. Threat hunting is the way to win the three-dimensional chess match against bad actors.