Security to Zone Three
“Defenses are almost never airtight.”
This comment, in the opening minutes our recent Cyber Threat Hunting webinar, speaks volumes about cybersecurity. It tells us that an attacker will, one way or another, find a way through our defenses. It says that security is a continuous, ever-changing process. It says that we can never stop adapting or learning from our mistakes.
One element of the webinar that caught my attention was the analogy between cybersecurity and retail stores. It’s a simple concept, really. Retail stores have perimeter defenses, like security cameras and scanners at the exits that are akin to firewalls and endpoint agents on our networks. If you’ve ever worked in retail, you know that these defenses are hardly insurmountable. A determined shoplifter will make his way past them, often quite easily.
The idea of having a threat hunter in place whose job is to go looking for attackers in the network, and the comparison to store employees tasked with seeking out patrons who “behave” like shoplifters, brought back vivid memories of my own time in retail. What surprised me was the lesson I’d inadvertently taken from that experience that underscores the effectiveness of a dedicated threat hunter.
Retail Threat Hunters
I worked at a sporting goods store during my time in college. When I first started, I noticed that the store had security cameras strategically placed throughout the public areas, and every once in a while a voice would come over the intercom, “Security to zone three. Security, zone three.”
The problem was, we didn’t have any real security staff, just associates like me who answered questions about basketballs and swimming goggles for kids. The cameras, prominently displayed on every wall, didn’t connect to anything. If you looked closely, you could see they weren’t even plugged in. They were just for show. The real security layers were the security scanners at the front entrance and our occasional security callouts over the intercom, which were a signal that one of the associates had spotted something suspicious.
We were the threat hunters, and it was surprisingly effective. It became almost a game for many of us, and our store rarely suffered any appreciable loss in merchandise. Our actions and diligence as a team prevented a number of potential shoplifters from getting away with expensive merchandise. We learned to look for telltale signs of someone making off with pricey items, like people moving with an obvious “limp” but in a hurry to reach the door before they were spotted.
You’d be surprised how fast someone can move with a baseball bat or a golf club hidden down the leg of their pants!
We shared these situations with each other in team meetings, and management ensured that we were instructed on how and when to intervene, and when not to, for our own safety as well as that of the company. In essence, we use each other’s’ observations and experiences as a collective intelligence database. The best way to avoid mistakes or become more effective is to learn from collective experience, not just your own.
Enriching Your Security Efforts
I’d never advocate that companies use fake antivirus or depend solely on threat hunters to keep them safe. A computer network and information infrastructure is vastly more complex than a retail store, even a large chain location. But cyber threat hunting, when applied as part of a larger cybersecurity program, is an essential aspect of an effective defensive posture. Reactive and passive defense isn’t an option, no matter how good the tools you’re using are.
Given the statistics, on average it takes nearly 100 days to detect an attack, and many attacks are still only discovered by external investigators or customer reports. You should be looking internally as much as you are externally for trouble, using the tools and resources at your disposal to be as proactive and engaged as possible. Chances are, you’ll find it in both places if you look hard enough.