Threat Hunting. PHOTO: Cybercrime Magazine.

Top Cybersecurity Teams Lead With Threat Hunting

Incident response put in its place

Kumar Ritesh, founder and CEO of CYFIRMA

Singapore – Sep. 12, 2020

Cybercrime will cost the world $6 trillion annually by 2021 (Cybersecurity Ventures), 1.05 billion of malware is in circulation (AV-Test Institute), and there is one cyberattack every 39 seconds (University of Maryland) — clearly, actions taken by cybersecurity practitioners in managing cyber risk and preventing cyberattacks are not working.

Cyber defense strategy that is centered on security controls with a heavy reliance on the likes of firewall and anti-virus software is simply insufficient to manage the onslaught of cyberthreats.

The industry has been groomed and coached to pay attention to cybersecurity alerts, incidents and breaches. These are what we term as “cyber events.” Our brains have been wired to jump and take action whenever we see a blinking red light on a SIEM or SOAR dashboard. And we react, en masse, when an actual cyber incident occurs.

Cyber incidents get the attention of everyone across the corporate hierarchy, from rank-and-file employees to the board of directors.

To effectively reduce the number of cyber intrusions, a radical mindset shift is needed. Leaders must redefine the concept of a strong cyber posture and relegate event-based security to its rightful place — an inferior approach to managing cyber risks and threats.

Cybercrime Radio: Kumar Ritesh, founder & CEO of CYFIRMA

DeCYFIR, a cloud-based, AI-powered cybersecurity platform

Let me paint a couple of scenarios to illustrate what a typical event-based mindset looks like in an organization.

An IT operations team spends time chasing down bug fixes and security patches, solving business users’ IT issues (“Help! Think I clicked something funny.”), running data backups and other operational tasks. These day-to-day functions keep everyone looking productive. When a cyber incident or data breach occurs, alarms start ringing and engines blazing. Remedial actions take precedence and priority. The team becomes 100 percent focused on solving the cyber incident. 

When studying the breach, focus is on technical investigation, analyzing the malware that just landed, its malicious signature and pattern, and maybe trying to re-engineer the attack, if time permits. More often than not, a herculean effort is invested into recovering data and getting applications up and running again. And we wait for the next incident.

The organization with an event-based mindset would also be in hyper-alert mode when the annual IT, risk and governance audit comes around. All cybersecurity initiatives which were tabled the year before suddenly become urgent and important, and actions kick in to align them for audit compliance.

When a significant business event occurs, such as expansion into a new market or a merger with another company, cybersecurity controls, people and processes will once again be on the agenda.

A privacy lawsuit would also raise cybersecurity’s importance and profile in the company. Followed by updating important cybersecurity processes as part of root cause analysis.

Cybersecurity awareness and education are introduced to all employees when an incident has occurred or to fulfill industry compliance.

In all of these scenarios, actions to strengthen cybersecurity posture and controls only take place after a negative event has happened. The call for situational awareness (CEO: I want to know why we were attacked. Did we not see it coming?) becomes a mere knee-jerk reaction.

A proactive and holistic approach to managing threats and risks, both known and unknown, is simply absent.

Now, let’s turn this situation around.

When leaders view cybersecurity from the outside by adopting an intelligence-driven approach, they know security operations teams are not merely reacting to events and alerts. Rather, a proactive hunt for threats would take center stage.

As a security leader, your metric of success is not how many incidents you have managed but how many potential threats you have discovered and remediated.

By shifting away from an event-driven cybersecurity syndrome (where alerts, incident, breach, audit, compliance, and privacy take precedence), you embrace cyber insights, signals, and intelligence as guiding principles as you navigate towards a stronger cybersecurity posture.

Resources would be directed to proactively identify potential attack vectors and build appropriate security controls.

Security leaders would be focusing on unraveling the context around a threat indicator (such as attack motive, intent and benefit) and not just remediating indicators of compromise (malicious IP, signatures, patterns, files, etc.).

Expectations would be on leaders to be able to predict a cyberattack and ensure cyber readiness before an event is triggered.

Knowledge of the external threat landscape becomes key insights that guide leaders in business decisions. Cyber intelligence gathered would also be applied across the various business functions.

And when audit season comes, cyber intelligence should be an input to drive remediation approach, ensuring internal and external risks are mitigated at all levels.

Compliance management is conducted based on intelligence leads from an external threat landscape. You also adjust compliance requirements and metrics as the landscape changes.

The organization would appreciate the importance of privacy and ensure employees, clients and suppliers’ data would be duly anonymized, sanitized and encrypted.

Security processes would be updated and adjusted as the threat landscape evolves. This is an agile cybersecurity strategy at work.

With an intelligence-driven mindset, the organization would also adopt a “hacked culture” approach where you would work on the assumption that you have either been hacked or you do not know that you are already hacked. As an effective leader, you would design your cybersecurity controls, processes and strategy based on that premise, leveraging insights, adversaries’ motivation, and attack probability as guideposts.

An intelligence-based mindset guiding cybersecurity is distinctly a better approach than waiting for adverse events to happen before taking action. This shift requires leaders to view cybersecurity not just as a function under IT but as a core business driver to power growth and innovation.

CYFIRMA Archives

Kumar Ritesh is the Founder and CEO of CYFIRMA


Headquartered in Singapore and Tokyo, CYFIRMA is a leading threat discovery and cybersecurity platform company. Its cloud-based AI and ML-powered cyber intelligence analytics platform helps organizations proactively identify potential threats at the planningstage of cyberattacks, offers deep insights into their cyber landscape, and amplifies preparedness by keeping the organization’s cybersecurity posture up-to-date, resilient, and ready against upcoming attacks.

CYFIRMA works with many Fortune 500 companies. The company has offices and teams located in Singapore, Japan and India.