Pub. 8 2019 Issue 6

COMMUNITY BANK CYBER THREAT HUNTING By Ty Purcell, GCIH, GPEN, GWAPT, CISA, CISSP C yber threat hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise that is a total contrast to typical cyber defense, where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) makes contact and informs one of the situation. Threat hunting is very appealing because it gives the sense of being active and not sitting idle. However, since there is no such thing as a silver bullet when it comes to cyber security controls, it is necessary to evaluate how effective threat hunting will be at each institution. Items like the information security budget, maturity of current cyber security controls, threats and risks all will play a part in analyzing the potential effectiveness of threat hunting and in determining if the cyber security posture of an institution is mature enough to benefit from threat hunting. Here are some fictional example institutions that can provide examples where threat hunting can be effective and then ineffective. A-Bank Fairly large at just over one billion dollars in assets, A-Bank also is a fairly new bank, being founded only fifteen years ago. From the beginning A-Bank has worked to implement foundational cyber security controls into all aspects of their operations. They have followed guidance such as the Center for Internet Security’s Top 20 Controls i and other guidance such as the NSA’s Top 10 Cybersecurity Mitigation Strategies ii . A-Bank has implemented a vulnerability management program including utilizing a vulnerability scanner weekly, active mitigation of identified vulnerabilities, and proactively patching systems identified to be missing patches. Additionally, A-Bank has segmented their internal network into zones with access control lists in place to allow only authorized movement between zones. This has been enhanced by not allowing any network communication between workstations and other end- user devices, effectively preventing or significantly hindering lateral movement by an attacker. A-Bank has also eliminated password re- use through their bank. Each system has unique passwords for any local accounts. Service accounts also utilize unique passwords. These are all managed by a Privileged Access Management system. A final foundational control