CERT: Threat hunting should be done regularly

Since Russia invaded Ukraine in 2022, the number and intensity of cyber-attacks in Latvia have increased rapidly. In some cases, the frequency of attacks has quadrupled, and in some cases even increased sevenfold. As Russia prepares for military aggression, cyber operations supported by Russia and the first attempts to penetrate systems in both the Baltic States and Ukraine took place as early as 2021. Meanwhile, one of the most pressing recent trends is that cyber attackers are targeting private companies that provide services to the public sector. By hacking into their information systems, attackers can gain access even to critical infrastructures such as transport or energy.

This is why, for the third year running, we are increasing Latvia's ability to conduct operational large-scale threat hunting, identifying and neutralizing the presence and activities of attackers in the public and private sectors with high efficiency. A valuable by-product of threat hunting is a data-based assessment of organizations' cybersecurity posture and practices, with a roadmap to a more secure future.

At a time when the entry of Russian citizens into the territory of Latvia is extremely restricted, espionage in its classical form is considerably more difficult in our country. Therefore, we are experiencing and will continue to experience increased threats in the digital environment from the cyber operations of the aggressive neighboring country.

There are different types of cyber-attacks. One of the aims of hackers is to remain undetected for a long time and, before they are caught, to obtain a maximum amount of information which they can then use for various purposes. Often, such cyber-attacks are not even noticed by the target organization until more than six months later. Especially if the cyber security practices of the company or institution are incomplete or not sufficiently addressed. So, a successful cyber-attack has been committed, but its actions and consequences have not been noticed for a long time.

Others are aimed at destroying infrastructure, creating chaos and resonance in society. These attacks are particularly active when Latvia has provided direct support to the Ukrainian government and taken decisions that are unpleasant for Russia. It is important to detect and prevent cyber-attacks early, ideally at the planning stage. This is where threat hunting and so-called threat intelligence play an important role.

What is threat hunting

Threat hunting is a deeply technical but also highly organizational process, which firstly identifies public or private sector institutions that should be prioritized for a security assessment, and secondly analyzes the configuration characteristics of the institution's computer systems - user computers, server systems, and network equipment. It looks for signs that could indicate a potential vulnerability or that the system has already been compromised. Then, by examining the data and also performing statistical analysis to look for "unknowns", conclusions can be drawn about the state of the target infrastructure.

If the system is compromised, there is an active fight against the attackers to eliminate their presence. In cases where systems have been maintained in line with the security challenge and have not been found to be compromised, threat hunting helps to identify specific problems and system weaknesses that can help cybersecurity watchdogs to address them early and prevent them from being exploited by attackers to gain access to the data of a company or public authority. So, threat hunting helps to make Latvia an unattractive target for attackers.

The information gathered after a threat hunt is provided to the holder of the target infrastructure and serves as a roadmap. It allows prioritization and understanding of which gaps are important to address immediately. It also helps the company's management to demonstrate the need to invest in cybersecurity based on data and not just assumptions. As we can see from recent media reports, private sector companies are not immune to cyber threats and are also affected by information leaks.

Regular checks are not only essential for human health but also for information systems. Just like a person is recommended to have a general health check-up once a year, even if there are no obvious symptoms, systems need to be checked regularly to identify and prevent potential problems in good time. These checks help to spot any abnormalities or problems at an early stage when they are easier to treat or correct. Both human and system health should be assessed on the basis of objective data, not assumptions or subjective feelings.

Cyber attacks also affect private companies

If we analyze the trends in threat hunting, the really capable attackers have increasingly focused on the private sector over the last 4-5 years. In some cases, the company itself is a high-value target, in others it is an easier route to high-value targets who are the company's customers and partners.

The earlier the threat is identified the better, but infrastructure holders do not always succeed.

The tools, methods, and procedures needed to make this happen are missing. Therefore, when CERT.LV services are applicable to a certain category of the private sector, we provide our support to firstly gain insight into the current cyber security posture of the company and secondly to help detect and eliminate these threats. CERT.LV also carries out additional analysis to discover who the attackers are, who they might be connected to, what their motives are, whether they have managed to obtain any data. For these free threat hunts, we identify the target companies ourselves, in cooperation with national security authorities. They are often directly involved in servicing state infrastructure or manage large amounts of data on Latvian citizens. But of course, CERT.LV will also be happy to advise small or medium-sized enterprises. Similar services are also offered by some Latvian cybersecurity companies.

Artificial intelligence has a place in threat hunting

What we can count on in the future is that the number of cyber attacks will only increase. Including from Russia. And Latvia will be one of the main targets of these attacks. The adversary will use all possible tools to gain access to our information systems, steal information, and try to destroy them. That is why CERT.LV is working with partners in NATO member states, including the Canadian Armed Forces, to proactively protect both Latvian and Canadian national infrastructures and every citizen in the cyber environment.

But there is another future trend that we can foresee, which will be active on both the defenders' and the attackers' side. It is very likely that in the next 5 to 10 years, AI tools will make the threat-hunting process more efficient and faster. I would like to question those speculations which claim that human involvement will become very minimal in the future. I would rather agree that humans will become more efficient thanks to artificial intelligence tools. By automating operations, we will be able to recognize the 'handwriting' of threats more quickly, identify them earlier and even prevent weak security settings. But attackers may also become more effective, using AI to find ways to fool systems faster. One thing is clear: the fact of competition amongst ourselves will not change, and we individually, as well as the state and the private sector as a whole, need to think about our cyber literacy and act to meet the challenge.