A conscientious approach to cyber threat hunting can be the difference between a data loss event and smooth business operations. We talked to Julian Sylvestro, Senior Consultant Cyber Risk; and Kevin Strickland, Incidence Response Director, IT Security, of Secureworks about how threat hunting can smooth the cyber claims process and improve overall security.
What is threat hunting?
Threat hunting is one of the most conflated and mischaracterized security practices in the industry. It has been touted as “new” and “detecting the unknown” but in truth, threat hunting has been around for years and involves much more. Secureworks® leverages threat hunting techniques in order to proactively and iteratively discover current or historical threats that evade existing security mechanisms and uses these findings to develop future countermeasures to improve cyber resilience. Threat hunting is about finding both the known and unknown and using that data to reduce risk and improve your security posture.
How can companies of limited cyber means perform threat hunting?
Security teams do not have to be advanced to perform threat hunting. It is about changing the posture from reactive to proactive. Security operations are typically reactive in that they wait for something malicious to trigger an alert that sets them into motion. Threat hunting is proactive, with the goal of finding malicious activity (or the potential for it) before an alert is triggered. Think of it like going to the doctor’s office. Although there may not be an immediate health issue, we proactively get screened to make sure we are healthy and to catch any problems before they advance. Companies with limited resources can start to make that transition from reactive to proactive by establishing defined processes with dedicated time for analysts or by outsourcing to third parties. Threat hunting takes time and organizations either need to provide the time to current analysts, hire dedicated hunters, or outsource to a third party.
How does threat hunting help with the claims process? Do cyber insurers cover threat hunting?
Threat hunting aids the claims process in a number of ways. Threat hunting can be an enormously valuable practice to ensure that a threat actor does not have the ability to re-infiltrate the network of a previously compromised organization, resulting in multiple claims within a policy year. At first pass, threat hunting might be categorized by some insurers as an investment to enhance security that should not be reimbursable under a cyber insurance policy. We would argue that a threat hunt after a malicious attack is a critical element of holistic incident response, which is arguably as important as the root cause analysis itself. While cyber insurers are careful not to fund cybersecurity investments, it is important not to narrow the scope of IR (Incident Response) so much as to be counterproductive.
What other benefits does threat hunting provide, specifically in relation to cyber policies?
When conducted after a previous malicious event, threat hunting can help customers determine if they have an active threat that needs remediation, which would trigger a claim and resulting insurance payout. The benefits here include: 1) reducing dwell time and thus the damage a threat actor causes 2) allowing customers to make a claim under their current cyber insurance policy which may have better coverage than a subsequent renewal policy may have (especially now as cyber insurance coverage is beginning to shrink) 3) if no threats are found, the clean report could be used as evidence of no prior threats to incumbent and alternative insurers as customers seek renewals As stated earlier, one of the goals of threat hunting is to find undetected threats but during that process you often find improper security controls, poor security practices, etc. In fact, through threat hunting analysis Secureworks found that 87% of net new customers in 2021 had both improper account configurations and improper security controls that significantly increased the organizations’ risk exposure. 53% of those organizations had remnants of previous incidents that were not properly resolved and 30% had active malware infections not detected by their current security controls.
What else can policyholders do to improve the claims process?
Companies must understand their specific policies and the associated claim processes. Cyber insurance policies can vary greatly from insurer to insurer, and not all cyber insurance policies are created (or intended) to have similar coverage or terms and conditions. Ask your broker and insurer about specific requirements or best practices for:
- Coverage triggers: What constitutes a reportable event? Is it a “suspected” breach or threat, or does coverage not apply until an “actual” breach or threat is identified? Sounds like semantics, but it is important to understand.
- Reporting requirements: When do I let the insurer know that the company is experiencing a cyber event? Do I need to do so before I talk to any outside vendors?
- Vendor use and selection: Who can I use to help if I have a cyber event? Most cyber insurers have incident response vendor panels. Clients need to know if the panels are suggestions or if they must use recommended vendors to ensure payment of expenses by the insurer.
- Proof of loss documentation: What paperwork do I need to give the insurer for timely reimbursement or payment of expenses and losses? Generally, customers are good about forwarding expense invoices, but many struggle to show proof of indirect losses like business interruption or reputational harm/brand damage, if covered. Customers should understand proof of loss requirements ahead of an event so that they can provide appropriate documentation when needed. Here is where a forensic accountant can be extremely helpful, even if the insurer doesn’t reimburse for this cost—though most will. A forensic accountant can help maximize the insurance payout.
In summary… We’d like to thank Julian and Kevin of Secureworks for explaining the nuances of threat hunting and its value to both insurers and insureds. Many of the steps required in incident reporting and insurer communications should be covered in a comprehensive breach response plan. Click here to learn more about Breach Plan Connect and how it simplifies the process of creating a breach plan.