Threat Hunting Wisdom: Planning Makes PerfectWhile it’s important for organizations to implement a threat hunting program as soon as possible, taking time to focus efforts can enable long-term success. By: Counter Threat Unit Research Team
To guard against the growing volume of increasingly sophisticated cyberthreats, it is critical that organizations add threat hunting to their defense arsenal. It's not enough to react to alerts from threat detection systems. Organizations must proactively seek and neutralize malicious activity that gets past perimeter defenses.
Some security teams rush into threat hunting with a "ready, fire, aim" approach. Deployment (firing) without focus (aiming) can lead to negative consequences:
- Months of irreplaceable security operations staff time wasted with little to no results
- Struggles to establish foundational threat-hunting practices with measurable outcomes
- Failure to demonstrate business value to budget decision-makers, making it difficult or impossible to secure essential funding
By following the traditional "ready, aim, fire" approach, organizations can implement an effective threat hunting program.
Stage 1: Ready
During initial preparation, organizations should address three basic issues:
- Instrumentation, data collection, and storage - Data gathering and analysis are central to threat hunting. These elements require appropriate infrastructure. A system such as Secureworks® Taegis™ XDR offers long-term storage, threat analytics, and the ability to ingest data from multiple sources (e.g., endpoint, cloud, network, applications).
- Personnel, processes, and policies - Threat hunting initiatives should have a formal structure with defined roles, responsibilities, and processes. In addition to establishing workflow, communication, and escalation policies, organizations should implement a content management system for the team to easily find and share technical information. It is important to train the entire team on all processes.
- Continuous, iterative improvement – Organizations need to develop a plan to move from the initial to desired state. That plan can be defined by success metrics, roadmaps, and established models. While plans can change and evolve, concrete milestones ensure progress.
Stage 2: Aim
Before embarking on threat hunting, organizations should decide what they're going to hunt. The following are some well-known models that organizations can use to prioritize and focus initial threat-hunting efforts, and then expand the scope as the team gains skills, data, and experience:
- Pyramid of Pain - This popular hierarchy arranges threat indicators from the simplest to the most sophisticated. Teams can begin by focusing on basic hash values and IP addresses and later add capabilities to detect rare file hashes, IP addresses, User-Agent strings, unusual data traffic, and unapproved scripts. Being able to search on these atomic indicators through an environment is a fundamental building block for establishing a threat hunting program. As the team's skills advance, they can explore the subtleties of threat actors' tactics, techniques, and procedures (TTPs) and focus on behavior.
- Hunting Maturity Model - This model offers metrics for tracking progress in areas such as data collection, data analysis, and automation. Teams may begin with simple internal searches and then expand their focus to data retention, customized analysis procedures, and machine learning.
- MITRE ATT&CK® - This continually expanding knowledgebase lists known threat actor TTPs. A threat hunting program's maturity metric can be measured by how frequently and how well the team leverages this taxonomy.
Stage 3: Fire
After putting operational elements in place (stage 1) and determining the initial focus (stage 2), organizations can begin threat hunting by identifying internal IT assets and investigating possible avenues of attack. From there, the team can examine risk assessments, previous incidents, penetration testing results, and threat intelligence feeds to identify additional threat-hunting use cases. A Jira-like tool can help the team adopt a kanban or scrum approach for continuous improvement.
During this stage, it's important to track threat hunts in the context of the established roadmap metrics. That tracking is ultimately how organization will measure value and justify funding.
There's no turnkey solution for threat hunting. But taking an orderly "ready, aim, fire" approach provides the best chance for success.
View the Secureworks virtual threat hunting workshop to learn more about creating a successful threat hunting program.