UK organizations must improve observability and threat hunting “in the vital pursuit of raising the national ability” to detect cyber threats, the National Cyber Security Centre (NCSC) has urged.
NCSC CTO, Ollie Whitehouse, argued in a blog post yesterday that there is still “significant variation” in ability in these areas.
“Observability and threat hunting are core and interdependent components of modern cyber defense,” he added.
“Maturing capability across both of these components is essential to strengthening our national cyber resilience.”
Observability is the foundation for effective threat hunting, because “you can’t hunt what you can’t see,” he argued. Yet many organizations may not have a comprehensive view into account activity, devices, networks, applications and cloud services. Shadow IT may also complicate these efforts, Whitehouse said.
Read more on NCSC guidance: NCSC Updates Cyber Assessment Framework to Build UK CNI Resilience
Even when organizations do collect data across all of their assets, they often can’t apply advanced analytics to it in order to perform effective threat hunting, he added.
To address these shortcomings, the NCSC urged security teams to:
- Maximize visibility of systems and the ability to query across combined data sets, spanning networks, hosts, devices and on-premises and cloud services
- Encourage tech vendors to follow NCSC guidance on building systems that support improved monitoring and investigation
Time to Mature Threat Hunting
The NCSC also shared some tips on how to improve threat hunting. It advised organizations to:
- Move beyond indicators of compromise (IOCs) such as IP addresses, domain names and file hashes, because threat actors are getting better at quickly changing or hiding these signals, for example using living-off-the-land techniques
- Develop their use of tactics, techniques and procedures (TTPs) “which reveal how attackers operate, not just what they use.” To do so, organizations need comprehensive visibility across systems, infrastructure that allows for searching and correlation, and network defenders who can “build and test hypotheses” based on attackers’ behavior and objectives
“Organizations – or those who provide services to them – should not only ingest and detect IOCs but also be capable of consuming, creating, sharing, and detecting TTPs in their threat hunting,” said Whitehouse.
“This dual approach enhances both reactive and proactive security capabilities, improving overall resilience against sophisticated adversaries.”
The security agency also recommended its NCSC Assured list of incident response providers to help organizations struggling with threat hunting, and its Cyber Adversary Simulation (CyAS) scheme to validate approaches for those who are further along in the process.
