Pub. 8 2019 Issue 2

The CommunityBanker 10 F E A T U R E Community Bank Cyber Threat Hunting By Ty Purcell, GCIH, GPEN, GWAPT, CISA, CISSP C yber Threat Hunting has been popular for some time. There is a good reason for this. Threat hunting actually involves actively going out and iteratively searching your networks in order to detect and isolate advanced threats. This is a proactive exercise which is a total contrast to typical cyber defense where it seems like we just wait for an inevitable breach to occur. Too often the breach is discovered when a kind third-party (hopefully not a regulatory agency or law enforcement) makes contact and informs one of the situation. Threat hunting is very appealing because it gives the sense of being active and not sitting idle. However, since there is no such thing as a silver bul- let when it comes to cyber security controls, it is necessary to evaluate how effective threat hunting will be at each institu- tion. Items like the information security budget, maturity of current cyber security controls, threats and risks will all play a part in analyzing the potential effectiveness of threat hunt- ing and in determining if the cyber security posture of an institution is mature enough to benefit from threat hunting. Here are some fictional example institutions that can provide examples where threat hunting can be effective and then not effective. A-Bank Fairly large at just over one billion dollars in assets, A- Bank also is a fairly new bank, being founded only fifteen years ago. From the beginning A-Bank has worked to imple- ment foundational cyber security controls into all aspects of their operations. They have followed guidance such as the Center for Internet Security’s Top 20 Controls and other guidance such as the NSA’s Top Ten Cybersecurity Mitiga- tion Strategies. A-Bank has implemented a vulnerability management program including utilizing a vulnerability scanner weekly, active mitigation of identified vulner- abilities, and proactively patching systems identified to be missing patches. Additionally, A-Bank has segmented their internal network into zones with access control lists in place to allow only authorized movement between zones. This has been enhanced by not allowing any network communication