Exclusive: Equipping yourself to hunt cybersecurity threats
James Thorpe
Share this content
Bob Baxley, CTO at Bastille Networks, outlines how organisations can prepare themselves to tackle cybersecurity threats and learn to hunt them.
Enterprise security teams share a common goal – to protect their data and minimise the impact of attacks. They don’t want their data leaving the environment. They don’t want their systems to be shut down or services to be stopped, or even worse, have a hacker delete their data.
To prevent this, various protections are in place. A mature IT infrastructure might include endpoint sensors and agents on machines, monitoring what the machines do, and allowing certain activities while disallowing others. This is coupled with network sensors on routers, switches and modems that are detecting traffic and providing telemetry about that traffic. Ultimately, all the endpoint and network sensors are logging data to a SIEM, where signatures are running against that data to alert security teams when something bad is happening.
Unfortunately, traditional endpoint and network sensors aren’t enough – that’s where threat hunting comes in.
Threat hunting
Threat hunting is a proactive approach to cybersecurity in which you are actively pursuing advanced threats, such as radio frequency (RF) threats, that have managed to evade existing security solutions. In threat hunting, security teams take that same log data and put human eyeballs on it to try to figure out where the threat is and how to defeat it.
But that is easier said than done.
To successfully hunt threats, an enterprise must have a well-instrumented security infrastructure. Security teams have to understand the traffic on their networks and the activities on their endpoints. Without proper visibility, this is impossible.
High profile hacking
An enterprise may have really good on-net device visibility, and maybe even Wi-Fi, but virtually no RF network traffic and device visibility into all the other protocols such as Zigbee, Bluetooth, LTE, etc. that the hackers might be using to get into an environment.
Two of the most high-profile examples of these types of backdoor attacks are Target and TJ Maxx. Target suffered a major breach when hackers gained access via an HVAC system. 40 million credit card numbers were stolen and the breach was estimated to cost Target more than $200 million dollars.
TJ Maxx suffered an attack when hackers broke into the company’s wireless LAN and stole 45 million records, including millions of credit card numbers.
“Banning RF devices from an environment is not enough”
In a perfect world, an enterprise’s network would be in perfect sync, with endpoint and network sensors instrumented and providing great telemetry about what all of their devices are doing.
But this is not the case for the vast majority of enterprises due to shadow IT equipment, vendor equipment, industrial control systems, and IoT devices that don’t support an endpoint agent. These devices may be RF-based and potentially have some other backhaul to the internet, acting as a portal and allowing hackers into and out of a network.
And since RF network traffic and devices are invisible, without the proper tools, an enterprise has no idea what is transpiring in the RF space going in and out of their environment.
Simply banning RF devices from an environment is not enough. There are billions of RF devices and gadgets that could easily (whether innocently or maliciously) enter an environment and put an enterprise at risk.
For CISO’s and other security leaders, ask yourself these five questions to determine your readiness for RF threats:
1. What RF networks are in my facilities?
2. What devices in my facilities bridge an RF interface to the corporate network thereby exposing a new attack surface?
3. Do I have these RF interfaces and devices appropriately secured?
4. What is the layer 1 and 2 data associated with RF networks in my space?
5. Are my RF devices conforming to RF policies?
If you are unable to answer these questions, you are playing roulette with your organisation’s safety and security. No amount of threat hunting will secure your company if you are hunting in the dark.
You can’t hunt what you can’t see.
