Skip to main content

Threat-Hunting Thursday

By October 5, 2017January 8th, 2019No Comments

We are now at the tail end of Security Serious Week 2017, which has been a fantastic period for building cybersecurity awareness. Kicking off today’s edition in our week-long cybersecurity series is Threat-Hunting Thursday and we have selected the great mind of Josh Mayfield, platform specialist, Immediate Insight at FireMon for an in-depth Q&A analysis looking at today’s threats, the evolving landscape within cyber and what defence systems are available to those who wish to stay on step ahead of attackers.

How would you define Threat and what are the differences between Threat, Risk and Vulnerability?

[JM] Threats are unique from vulnerabilities and risks because they express ‘intent’.  Threats come in many forms and sources, but the key marker for any threat is the intent to cause harm or damage.  Look at ransomware, malware, DDoS, data exfiltration…all of them begin with an intent to do harm.


Risk is simply a quantified metric of potential loss or damage.  Risk metrics are based on circumstance (internal or external) that can leave the organization or individual in a precarious position.

Financial services (banks) and healthcare, for example, are at greater risk because the circumstances of their business brings them into a cohort of organizations that are regular targets of cyberattack.  Organizations use risk to better understand the future, potential outcome of damaging events.  Factored into this equation are their current vulnerabilities.


Vulnerability is all about the susceptibility of harm.  If threats are exogenous factors of potential loss or damage, vulnerability is the endogenous side of that ledger.  Vulnerability assessment begins with a look at oneself and quantifying the likelihood of loss or damage based on attributes within.

Cybersecurity vulnerability begins with an honest assessment (a diagnosis) of the endogenous systems – finding the weak spots.


In short:

Threat, the intentional conduct of someone (internal or external) to cause harm

Risk, a quantifiable metric of potential harm, given the circumstances and environment

Vulnerability, the attributes native to the organization or individual that increases probability of harm


WannaCry, Power Grids hacked, Deloitte – What has surprised you most about the types of attacks that have occurred in 2017? And do you think today’s enterprises are taking security seriously?

[JM] I wish I could say that the cyberattacks and data breaches of 2017 surprised me.  But given the milieu of cybersecurity practices, it was the only outcome one could predict.  We didn’t know where or how these attacks would happen, but it should we widely agreed by now that our present disciplines are not equipped to manage the threats organizations face.


Principally, organizations have a dearth of imagination when assessing their threats, risks, and vulnerabilities.

To fully predict and prevent cyberattacks requires complete knowledge of the current state of the world with its ever-changing variables and probabilities, something close to omniscience.  And omniscience tends to be out of reach for human beings.

Right-thinking organizations are going on offense – threat hunting.  This marks a turning point in cybersecurity; moving to methods and tactics that value ignorance and evidence-based pursuits, rather than heuristics and confirmation biases.  We are seeing a slow but noticeable shift, let us hope it continues.

Attackers have become increasingly more innovative with their attacks, so what can individuals and enterprises do to stay one step ahead? What defence mechanisms would you advise?

[JM] Attackers are human.  Humans are goal-directed, not stimulus-driven.  Years ago, the attacker community traded in the currency of respect; making a name for oneself within the community was the ultimate goal.  Now, the financial motive has become the principal driver of attacker behaviour.  To service this financial goal, attackers will use the most effective tools at their disposal.

Cybercriminals are responding to incentives as any economic actor would in an economic world.  With these financial incentives in place, it is no wonder that attackers would opt for ransom instead of depreciating inventories of stolen data.


To stay ahead of this innovation curve, organizations need to do three things:

  1. Automate policy management (prevention)
  2. Automate data analysis (detection)
  3. Automate actions (response)


Each of these measures will serve an organization experiencing two forces: 1) Personnel/skills shortage, 2) Increased complexity and sophistication of cyberattacks.


Automating policy management provides you with the prevention needed without having an army of device technicians constantly updating access control lists (ACLs) in an ever-changing world.  Automating data analysis provides organizations with the needed capability of threat hunting without having to employ Minority Report precogs to detect threats.  Automating actions provides the speed of patching what’s been affected, the closest we can currently get to self-healing computers and networks.



With the cyber landscape in its current state and with IoT and cloud adoption expanding, looking ahead, what do you see being the biggest threats in 2018?

[JM] After this diatribe about the history of prediction, one may think I am being hypocritical by making statements of what will happen in 2018.  But isn’t in the goal of any method to take in data from the past and confidently make predictions about the future?  Of course!


I believe the current model of Passive Security will keep its strong grip.  But guess what?  While organizations cling to what they know cybercriminals are going to advance.  Maintaining this model will likely bring the following unpleasant headlines:


  • A major bank in the U.S. or Western Europe will lose over 100 million records
  • A major Western government will experience a breach where over 20 million full citizen profiles are abducted
  • A major healthcare provider will have their Amazon S3 breached, exposing millions of patient records
  • In the wake of a breach (perhaps from 2017), a major company will be charged with criminal neglect and broken up by a Western government


Our methods will evolve, we will overcome this.  A new method has been introduced and it has gained a toehold.  It will bide its time until more hapless methods, tragically, run their course.


By Rohit Chavda, Account Executive