Proactive Threat Hunting

Telesoft’s TDAC provides security and network operations teams with a threat hunting tool that enables them to query and investigate data, to identify and neutralise threat actors within their network before they strike.

The 400G Telesoft FlowProbe provides highly accurate, unsampled network metadata, which is stored in Telesoft’s petabyte data lake. With access to this extensive data lake of metadata, raw network traffic and real-time Indicators of Compromise, TDAC enables network operators to carry out proactive threat hunting and identify malicious actors within their network.

Data is analysed, enriched, correlated and presented in real-time, reducing time and resources to act on events and observations. Read further to understand the benefits of Telesoft’s threat hunting solution.

THE BENEFITS OF PROACTIVE THREAT HUNTING

When it comes to cyber security, companies use a variety of methods to protect their systems from malicious attacks. From firewalls and antivirus software to endpoint security, these are all reactive cyber security methods.

However, many companies are beginning to understand the benefits of proactive threat hunting. Below we’ve laid out the three main benefits of proactive cyber security as an element of your cyber security strategy.

1. IDENTIFY THREATS IN YOUR NETWORK BEFORE THEY ACT

Reactive cyber security methods work by detecting what are referred to in the industry as “known knowns” – something that has already been identified as a threat, such as a bad IP address or domain. With reactive cyber security, the malicious actor must threaten your network in some way in order to be identified. 

But the average threat actor has a dwell time of 180 days. That means an attacker could be hiding dormant in your network for months before taking any malicious action. In this time they could be learning about your network in depth and understanding any weaknesses before mounting an attack. 

Proactive threat hunting techniques have developed as a way to detect and identify what the industry calls “unknowns” – malicious actors that haven’t yet launched malicious activity, and therefore have yet to be uncovered by reactive methods. While attackers dwell in your network, security teams have an opportunity to proactively identify the threat and learn more about it using Telesoft TDAC.

Network anomaly detection with Telesoft TDAC allows operators and security teams to identify malicious actors lurking within networks before they have the opportunity to carry out their objectives, whether that’s delivering malware or ransomware or exfiltrating data. Once identified, the threat can either be removed immediately, or security teams can choose to monitor it in order to gain a better understanding of its behaviour. 

2. GAIN BETTER UNDERSTANDING OF CYBERCRIMINAL TACTICS, TECHNIQUES AND PROCEDURES (TTPS)

Once an “unknown” is identified through threat hunting, most companies’ immediate response would be to remove it from the network. However, there is a benefit to monitoring and observing its behaviour before responding. This helps network operators gain a unique perspective on malicious actors’ Tactics, Techniques and procedures (TTPs), and in doing so, the unknown becomes a “known known.” Understandably, this type of monitoring can only be done up until a point where they need to intervene to prevent damage.

Learning from the TTPs of threat actors in this way makes it easier to identify, track and remove similar activity in future. Any intelligence gathered from monitoring the previously unknown threat’s behaviour can then be shared with threat intelligence communities, helping to advance the field and protect more networks from attack.

By analysing the meta-data from all mobile and internet communications, TDAC allows security teams to store and analyse huge amounts of data over long periods of time. This allows them to track the behaviour patterns of threat actors from the point at which they first infiltrated the network, even when the threat has been identified at a much later date.

3. REDUCE NETWORK BREACHES 

Being able to identify malicious activity within a network prior to the threat actor having an effect minimises the damage done to a company, both financially and reputationally. 

Cyber attacks have been characterised into seven stages, known as the Cyber Kill Chain:

Reconnaissance – a target is identified and researched to identify vulnerabilities.
Weaponization – malware is created to exploit the target’s vulnerabilities.
Delivery – the weapon is transmitted to the target through methods like email attachments.
Exploitation – the malware starts the action to exploit the target’s vulnerabilities
Installation – malware installs an access point for the attacker. 
Command and Control – Malware gives the attacker to the network.
Actions on Objective – The attacker takes action to fulfill their objective, such as encryption for ransom. 

Telesoft threat hunting enables network operators to identify and break the Cyber Kill Chain from stages 3 to 6, before the malicious actor can reach stage 7. 

Stages 3 to 6 of the cyber kill chain are all points at which the threat actor has gained access to a network and is actively moving around and trying to understand the environment prior to conducting stage 7. Monitoring activity throughout these stages can enable a more effective removal of the threat actor prior to stage 7, mitigating any real damage being done.

HOW TELESOFT’S THREAT HUNTING SOLUTION PREVENTS CYBER ATTACKS

Our threat hunting solution has numerous benefits to companies who want to proactively prevent cyber attacks, including:

TELESOFT’S DATA LAKE 

Storing large amounts of data is fundamental in retaining the required data to be able to proactively hunt for threats. Some networks are seeing over 10Tbps of data, resulting in large storage requirements. Many solutions cannot scale to this – but Telesoft offers petabyte storage through our data lake. 

UNSAMPLED VISIBILITY 

When it comes to proactive threat hunting, looking at everything and capturing data from every flow is the only way to see the complete picture. Many competitors sample data, but this does not allow for comprehensive visibility required for the most effective threat hunting. Telesoft offers unsampled visibility, meaning full visibility of the entire network for thorough analysis. 

LONG-TERM DATA RETENTION 

Many solutions that retain data do so but for short periods – such as a week or a month. But what if something happened three months ago? Our data lake can scale to retain data for months, and even in excess of a year in some cases, meaning you’ll have long-term visibility of data to enable thorough analysis of past anomalies to identify threats which have been dormant on the system for long periods.

USER-DEFINED DETECTION

Investigating and analysing the vast data is an additional challenge. TDAC’s flexible interface, based on regular expressions, enables the user to define specific behaviours they want to search for across definable timeframes. By iteratively adjusting rules and analysing returned data, users can hone in on potential threats within their historical network data. Once threat characteristics are identified, these can be added to TDAC’s automated detection algorithms for detection in real time.

These four points are key to enable threat hunting to take place for network operators; they can’t hunt for a potential threat if they haven’t seen it (due to sampling) or simply don’t have the records as the retention period is too short.

Ready to start threat hunting in your network? Book a demo with Telesoft today to discuss our threat hunting solution.