Having threat hunting capabilities is becoming a standard for most cyber security programs. The traditional approach of assuming detections/blocks will suffice and having a reactive process has buckled under the recent attacks, especially ones that leveraged vulnerabilities in the last year. Even top cyber security products have built up their own threat hunting capabilities to enhance their platform.
Top 3 wins when developing a threat hunting program:
There are plenty of benefits to developing a threat hunting program and one of the biggest ones is preventing burn out. Over time analysts will develop alert fatigue and miss threats or start searching for a new job to get out of the continuous loop. Threat hunting lets them leverage their skills and build knowledge of the environment at the same time, which is much less repetitive than focusing solely on handling alerts. Through their work they can identify detection maturity opportunities and/or net new detections based on behaviors they observe and Through their threat hunting activities, the team will continuously gain a broader understanding of the environment allowing them to respond to incidents more effectively and minimize the overall impact.
How to mature your threat hunting program:
When looking at ways to start and/or mature your program you want to break out your maturity in three pieces: People, Process, and Technology. A common pitfall is focusing on only one or two of these. There needs to be a strong balance across all three to have a program that continues to build upon itself. The following breakdown below is a way you can look at setting up different levels across these three pillars. You would want to tweak the levels based on your business and ensure the progression plan is achievable and quantifiable.
Level 1 - Entry - 1-2 Years Experience, SIEM and EDR Analysis and Infrastructure Experience
Level 2 – Junior - 2-3 Years Experience, Detection Creation Experience and Red Team Exposure
Level 3 – Senior - 3-5 Years Experience, Experience Running Hunts from varying complexities
Level 4 – Principal - 5+ Years Experience, Strong understanding of the environment and multiple years of experience conducting hunts in the environment
Defining different tiers of ‘threat hunters’ internally is a critical step. The fundamental skillsets for a threat hunter would be detection understanding, incident response experience, attacker mindset, threat centric mindset, and threat hunt exposure. It’s a complex mix of skills which is why you will typically want to have a Senior or Principal threat hunter coaching the team members. If that’s not an option enabling a stronger collaboration between teams (e.g., red team, threat intel, etc.) and/or leveraging partners will get you there.
Level 1 - Threat Hunter – Creating and executing hunts. Minimal Tracking/Reporting.
Level 2 - Dedicated R&D Team, Team of Threat Hunters. High visibility reporting.
Level 3 - Integrated Red Team, Dedicated Detection Team. Mostly Automated Processes.
Level 4 - Red Team Tests, Focused Hunts, Automated Process/Collaboration.
It’s important to have a simple and achievable process, one that you can continue to automate to increase the impact it has across the team. Often, teams will only focus on the process versus the actual threat hunt, so it’s important that there is a good balance between execution and improvement.
Level 1 – Basic – SIEM or EDR
Level 2 – Above Average - SIEM + EDR + Firewall + IDS/IPS + Threat Intel
Level 3 – Exceeding Expectations - SIEM + EDR + Firewall + IDS/IPS + DNS + Threat Intel + Scripts
Level 4 – Defining the Standard - SIEM + EDR + Firewall + IDS/IPS + DNS + Threat Intel + Scripts + Machine Learning + Deep End Point Logs: Sysmon / OSQuery / Tanium
Then finally, technology. Having a strong set of tools will enable better hunting and stronger context. This doesn’t mean you need all the tools and visibility to start threat hunting. You can focus on what you have (e.g., DNS, firewall, etc.) and build upon that as you increase visibility. You may be limited on the ‘people’ portion of the equation and need to lean into what they are familiar with while you build your program.
E.g., three Level 1 employees, and one Level 4 employee
E.g., if you have the resources but lack the automation, would a platform enable your team to have stronger outcomes?
The above steps would be one approach, it all comes down to being efficient and reporting the required data to leadership to show the value of investing in your threat hunting capabilities.
In conclusion, Threat hunting is not an easy or quick challenge to take on, however, it is an important challenge to address and build upon. We will be posting additional blogs that dig deeper into the topics touched on throughout this blog (people, process, and technology). We are also available to augment your capabilities, provide a maturity review, and/or help you build your program.
Michael is a Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More