Threat Hunting and the Presumption of Compromise
If an ounce of prevention is worth a pound of cure, then a byte of threat hunting is worth a kilobyte of post-breach reaction.
“Threat hunting is a practice of proactively searching for threats that are lurking on your network,” says Brian Kelly, former director of cybersecurity at EDUCAUSE and now virtual CISO at Compass IT Compliance. “You’re not actively responding to a known breach.”
Instead, “Threat hunting takes the traditional approach to cybersecurity and turns it inside out,” notes a CDW blog post. “While most security controls are designed to keep intruders out, threat hunting adopts a mindset called the ‘presumption of compromise.’”
Instead of simply reacting to and shoring up known breaches, threat hunters operate under the assumption that threats have already penetrated an organization’s network. They then rely on a comprehensive range of security solutions and tools to locate evidence on the networks that confirms that assumption. This allows them to more quickly respond and mitigate risks, ideally before a threat erupts into a full-scale and potentially costly data breach.
In many cases, threat hunting is often treated as something that’s nice to have but not necessarily mandatory, particularly at institutions that lack the budget or resources to develop, implement and sustain a comprehensive threat hunting strategy. Over time, however, investing in threat hunting begins to make more sense. This can be due to a natural evolution of a maturing security strategy, a growth in resources, or simply because institutional leadership comes to recognize the value of proactively identifying and mitigating risk before it grows into a major disaster.
Take, for example, Virginia’s University of Richmond, where threat hunting has become a critical part of the organization’s IT security strategy.
LEARN MORE: Here are three steps universities can take toward zero trust.
A Proactive Approach to a Persistent Cybersecurity Problem
At Richmond, the institution’s IT team follows a defense-in-depth model, which includes threat hunting as part of a layered approach to cyberdefense. “We’ve come a good distance over the past year and a half,” says John Craft, the university’s director of information security.
For most organizations, Craft says, it’s only a matter of time before a threat arises to jeopardize operations that evolves into a costly breach. “The more visibility you have within your environment, and the more capabilities you have to employ threat hunting to analyze the events that are occurring, the more likely you’re going to be able to prevent something disastrous,” he says.
One of the university’s most recent steps was implementing a security information and event management solution, a key element of the defense-in-depth model. “It takes disparate systems events and it correlates them and integrates them into a threat intelligence feed,” Craft says. “Then, it analyzes that and produces alerts for us so that we can respond accordingly.”
While the organization’s SIEM investment plays a critical role in its overarching threat hunting strategy, the technology also comes with a challenge: With the increased capacity to aggregate and identify threats comes an influx of information and intelligence to wade through, interpret and prioritize.
This is where managed service providers (MSPs) — and managed threat hunting in particular — become crucial.
EXPLORE: How to design a forward-thinking device management program.
Minding the Resource Gap with Managed Threat Hunting
While having the resources to proactively identify threats is hardly something to complain about, it does introduce a complex new reality: The more threats you find, the more work you have to do.
It’s a huge undertaking, even for a large university with a C-suite that understands, embraces and supports the need for threat hunting as part of a comprehensive IT security strategy.
“One of the challenges, of course, can be filtering out the noise,” Craft says. “Because you do get a lot of noise. And that’s where you need skilled and experienced analysts on board to monitor the information that is, in fact, vital.”
However, even if an institution does have such an analyst on staff, that employee might already have a full workload and lack the bandwidth to take on the additional demands of sustaining a threat hunting strategy. To fill that gap, some colleges and universities, including Richmond, rely on managed threat hunting services or partners.
With an ever-growing range of competitors, choosing the right MSP for managed threat hunting can prove challenging. “It’s important to find a vendor that understands the higher education market,” says Keith McIntosh, Richmond’s vice president of information services and CIO, and a member of EdTech’s 2023 list of top higher ed IT influencers. “There are a lot of players in the space, but a lot of them cater to a different audience.”
Colleges and universities should also investigate a potential MSP’s reputation and credibility in the higher education community and learn whether its approach aligns with the institution’s needs and goals.
“I’m looking to see what other higher education institutions have done and who have they partnered with,” McIntosh says. “We needed to find a value-added partner that actually understood who we are at the University of Richmond and what we needed to do.”