Threat Hunting PrinciplesLeveraging a consistent set of tested principles increases the effectiveness and value of threat hunts, providing greater insight of the organization’s environment and improving subsequent detections of malicious activity. By: Counter Threat Unit Research Team
As part of the Secureworks® Counter Threat Unit™ (CTU) research team's threat hunting vision, our products and services are built on six guiding principles that form the optimal threat hunting framework:
Why are these principles important for success? Because with them, threat hunts become an important and effective element of an organization's arsenal against threat actors who try to disrupt business operations. They should be requirements if partnering with a third party as well.
Humans are the critical component in threat hunting. From proposing new hypotheses for testing to developing new techniques for data manipulation, people inspire ideas and bring them to fruition. Like an artist, a threat hunter blends the creative process with a scientific and methodical approach.
A threat hunting program should have defined and measurable metrics. For example, how many automated detections were created? How many incident response (IR) investigations were initiated? How many previously unknown gaps were identified? These metrics can be used to answer questions during a threat hunt:
- Were threats identified that bypassed security controls? If so, how many IR investigations were created?
- How many systems were infected by previously unknown malware?
- How many detections were created to address previously unknown threats?
By reviewing the metrics quarterly and annually, organization can identify weaknesses in their security posture and improve their cyber resilience.
A non-transactional relationship involves two entities establishing a long-lasting exchange of information, allowing each to collaborate and communicate effectively. The Taegis™ ManagedXDR solution enables Secureworks threat hunters to escalate findings to customers via the Taegis™ XDR platform. Taegis XDR allows customers to interact with the findings, review the relevant data, and communicate directly with threat hunters. This exchange gives the threat hunters a deep context and understanding of the customer's environment, resulting in the best detections and prioritized escalations for the customer.
Threat hunting should follow a standardized approach. CTU researchers often use a four-step process to investigate hypotheses:
- Define a hypothesis or research question.
- Identify the effective data sources and analysis techniques.
- Evaluate the results and attempt to answer the hypothesis.
- Create detections and document gaps in knowledge.
This approach can be documented in threat hunting playbooks. Saved searches, distinctly automated processes, and general canned queries can be part of a playbook. However, the ultimate goal is to define a thorough method for investigating problems and achieving the ideal established outcomes.
One threat hunting playbook may search for the abuse of remote administration tools. A hunter could easily discover abuse of these tools using process telemetry. But what is the hunter specifically looking for, and why is it important? The playbook may guide the hunter through additional questions to identify and mitigate the threat:
- Is the hunter searching for service accounts running those tools?
- Why is certain activity occurring, and should it be?
- Is use of remote administration tools expected in the environment?
- Do regulation requirements prohibit these tools?
Businesses are subject to many internal and external threats, and every organization has unique challenges. Threat hunters must listen to the business's security concerns, understand the risks, and tailor hunting efforts based on those risks. Through this process, the hunters learn a great deal about the organization. Understanding what is abnormal versus normal activity is essential for the hunters and the business units. This knowledge leads to the creation of tailored detections.
Data is the lifeblood of an effective threat hunting program. Using a centralized platform to host data from multiple sources (e.g., email, endpoints, network, and cloud) enables hunters to easily access and evaluate the information. Third-party services offer a significant advantage of visibility into data from many organizations. Secureworks receives telemetry from thousands of organizations. This amount of data ingest provides comprehensive and critical insight into emerging cyber threats. It is a rich resource for hunters to identify threats by comparing activity across trillions of events.
To conduct threat hunts that produce the best results, start with the best guiding principles. Otherwise, hunts can be aimless and provide little benefit. Foundational planning and a partnership with third-party allies like Secureworks will go a long way. By relying on these principles, Secureworks threat hunters find critical data that customers use to improve their security posture.
View the Secureworks virtual threat hunting workshop to learn more about creating a successful threat hunting program.