Hello CISOs, it's time for a serious conversation about a hot-button issue in cybersecurity – our industry’s reactive, panic patching-first mentality. Are we really making the best use of our resources by scrambling to patch every new vulnerability that emerges, or should we be reallocating some of those resources to focus on proactive post-exploitation behavioral threat hunting? Let's dive in.
The recent Microsoft Patch Tuesday saw Microsoft patch not one, but three zero-day vulnerabilities (CVE-2023-29336, CVE-2023-24932, and CVE-2023-29325). The immediate response from many was an all-hands-on-deck rush to patch. But at what cost?
Panic patching, as it's often referred to, disrupts internal processes, absorbs a massive amount of resources, and can result in untested patches causing further issues downstream. Not to mention, it’s exhausting. But is it the best way to secure your organization?
Consider this: What if, instead of pouring efforts into an unending game of whack-a-mole with new vulnerabilities, we maintained a consistent, frequent patching cycle, and shifted our focus towards proactive post-exploitation behavioral threat hunting?
Behavioral threat hunting aims to identify and isolate malicious activity based on the behavior of the attacker after they've breached a system, rather than chasing IOCs. This approach turns the traditional vulnerability-centric model on its head.
With behavioral threat hunting, you’re not just waiting for the next vulnerability to drop. You're proactively looking for signs of post-exploitation activity, focusing on adversary behaviors that signal an active threat. This is a game-changer.
Let’s look at a real-world application. Suppose a new exploit targets a known vulnerability, one that you haven’t patched because it was deemed low-risk or because you’re still within your regular patch cycle. Behavioral threat hunting would allow your team to identify unusual activity on that system – lateral movement, abnormal logins, unusual data transfers – that might indicate a successful exploit. And you’d be able to do this without having had to disrupt your workflow to immediately patch that low-risk vulnerability.
So, how does that look in practice? It might mean monitoring for patterns of activity that align with MITRE ATT&CK tactics and techniques. Or it could involve setting up alerting for unusual PowerShell activity or spikes in network traffic. The key is focusing on behaviors, not vulnerabilities.
This approach requires a mindset shift. It means acknowledging that there will always be vulnerabilities that are being reported on for mass exploitation in the wild, and that trying to patch all vulnerabilities as soon as they emerge might not always be the best solution. While panic patching can be an effective tool on a case-by-case scenario based on risk, it should only be used when appropriate. It’s not about ignoring vulnerabilities or ceasing to patch altogether - regular, frequent patching is still essential. However, by prioritizing and balancing the need to patch with the benefits of behavioral threat hunting, organizations can effectively manage their resources and stay ahead of potential threats.
The true value of behavioral threat hunting comes into play when you consider the sheer number of patches that might be necessary on any given Patch Tuesday. If you’re chasing every vulnerability, you’re not just burning resources – you’re also creating noise that can make it harder to spot an active threat. By focusing on behaviors, you can cut through that noise and zero in on what really matters.
Now, I know this is controversial. The idea of not immediately patching every new vulnerability may make you uncomfortable. But remember, it’s not about abandoning patching. It’s about moving away from panic patching and finding a balance. It’s about making smarter, more strategic decisions with your resources. It’s about becoming proactive, not reactive.
Behavioral threat hunting isn’t easy, and it’s not a silver bullet. But if implemented well, it can significantly increase your chances of catching an active threat before it causes real damage. And that's the ultimate goal, isn't it? To protect our organizations, our data, our employees, and ourselves from the ever-increasing array of cyber threats.
Embracing a behavioral threat hunting approach offers a chance to be on the offensive. Instead of always being one step behind, waiting for the next vulnerability to be exploited, your teams will be in the driver's seat, actively seeking out potential threats based on behavior, not just IOCs.
Consider the advantages: less disruption, more focus, increased visibility, and a proactivity that places your team in control. It’s a compelling shift. And to be clear, we're not throwing out the playbook. We're just adding a new, powerful tool to our arsenal.
Imagine a world where Patch Tuesday doesn’t mean chaos, where a zero-day vulnerability isn’t a cause for panic, but an item on the regular patch cycle. Where our teams are not stretched thin, constantly reacting to the latest exploit but are empowered, proactive hunters, well-versed in adversary behaviors.
Change is never easy, especially in an industry that often holds fast to tried and true methodologies. But, if we want to get ahead of the curve, it's time to rethink our approach. It's time to embrace the power of behavioral threat hunting and relegate panic patching to the history books.
So, let's start this conversation. It's time to challenge the status quo, to question if we're really doing the best we can for our organizations, or if there's a better way. I believe there is. Do you?
As we embark on this journey together, remember you’re not alone. There are resources available to help you make this shift. To get started, sign up for a free Community HUNTER account here that will give you access to dozens of totally free behavioral threat hunting packages to enable hunting across SIEM, EDR, NDR, and XDR platforms.
Let's change the game. Let's hunt threats, not patches.
