THREAT HUNTING MATURITY MODEL: A NEW APPROACH FOR STRUCTURED HUNTING
By Josh Campbell at Cyborg Security
We’ve talked a lot about threat hunting in the past few months. From how to do it, what you need, and even how you can follow up on hunts. Something we haven’t covered though is maturity, and how teams can measure that. For some, measuring “maturity” can seem tedious. After all, so long as hunt teams “find the bad,” some might wonder why maturity is even important for SOCs. The value of modeling maturity is that it allows organizations to set their “eye on the prize,” so to speak. It enables organizations to see where they are today, and how to improve moving forward. It also gives teams an idea of areas or technologies they need to improve on. That is why a threat hunting maturity model is so important.
THE ORIGINAL THREAT HUNTING MATURITY MODEL
Now, many organizations may have heard of the existing Threat Hunting Maturity Model. This was a model developed by Sqrrl back in 2017 and measured key elements of an organizations’ hunting capability, including:
- the quantity and quality of data collected by organizations;
- the methods and capabilities to visualize and analyze data; and
- types of analytics available to the data to enhance hunters’ insights into said data.
But, one of the key limitations for this model is that it focused only on unstructured hunting. There is nothing wrong with that focus. But as organizations continue to improve, providing a model that expands that focus is important.
INTRODUCING THE HUNT TEAM MATURITY MODEL (AN UPDATE TO THE THREAT HUNTING MATURITY MODEL)
As a result, we have expanded on the Threat Hunting Maturity Model. We refer to this modified model as the “Hunt Team Maturity Model” or HTMM. The HTMM takes into account variables that are critical for hunting. While we have focused on structured hunting, this model can also apply to other types of threat hunting. Some of these other variables we take into account are:
- The security controls that an organization has in place;
- The maturity of the threat intelligence that feeds hunting efforts;
- The types of hunting an organization is capable of performing; and
- The outputs of the hunt team
Below, you will find a description of each level in the model, along with the requirements to advance.
HTM0 — NON-EXISTENT CAPABILITY
At HTM0 of our threat hunting maturity model organizations rely only on traditional security controls to drive daily operations. These organizations will likely rely on automated alerting. This alerting originates from the reactive security controls, including
- Host and network-based intrusion detection and prevention systems (IDPS)
- Firewalls (FW),
- Web application filtering (WAF),
- Web proxying solutions
Organizations at HTM0 will use a platform for log and data aggregation. This platform, which is likely to be a SIEM, will likely use basic content, such as correlative rules, for alerting. This content will likely originate from their SIEM vendors. These organizations likely have little or no visibility in their environments.
These organizations will likely incorporate threat feeds. These feeds are often provided through open-source services. They often consist of indicators that map to the lower levels of the Pyramid of Pain. Note that organizations at HTM0 will likely have no true threat intelligence capability.
HTM0 organizations are also only collecting a limited subset of log data. This data is enough to meet the existing requirements of security operations and not much else. Organizations at HTM0 are incapable of threat hunting.
HTM1 — NASCENT CAPABILITY
Organizations that have achieved HTM1 in our threat hunting maturity model have remedied most of the shortcomings in HTM0. They have increased their visibility into their environment. These organizations will often rely on same controls identified in HTM0 for reactive detection. HTM1 will also start to focus on greater network visibility, especially netflow data. This visibility allows organizations to be able to visualize and analyze network metadata.
Organizations at HTM1 will still leverage a SIEM platform for analysis. But, organizations at this maturity will start to expand their SIEM content beyond simple correlations.
HTM1 organizations will also seek to integrate a threat intelligence platform. This integration will allow storage and enrichment of individual IOCs. This integration could feed IOCs into security controls or the SIEM environment. This type of integration will prove challenging for organizations to keep up with.
HTM1 organizations will be able to consume more complex indicators. These indicators will likely align to tool-based artefacts found in the netflow metadata. These could include
- User Agent Strings
- Blank or missing fields in HTTP traffic
- Encoded data in the HTTP header
HTM1 organizations are capable of basic operational hunting. An organization at HTM1 will conduct threat hunting, but only on an ad hoc basis.
HTM2 — FUNCTIONAL CAPABILITY
Organizations at HTM2 in our threat hunting maturity model will have all the same security controls from previous levels. They will also have addressed the lack of visibility at the endpoint level in the environment. HTM2 organizations will deploy tools to log endpoint activity. These tools are likely to be some form of endpoint detection and response (EDR) platform. Other platforms such as extended detection and response (XDR) and endpoint protection platforms (EPP) may also work.
Organizations at HTM2 may have moves away from a SIEM as an analysis platform. Instead, these organizations may use a data lake platform to allow for increased data consumption. Other organizations may choose to remain on a SIEM platform.
Organizations at HTM2 will begin to look for more complex threat detection content for their platforms. This content will look for known malicious behaviours for threats. They will likely rely on free content available from untrusted third parties. HTM2 organizations are also capable of adapting free content for their environment.
Organizations at HTM2 will not likely be able to generate their own threat intelligence data. As a result, HTM2 organizations will have to add threat data, information, and intelligence. This data will likely originate from commercial intelligence providers. This threat intelligence will include long form reporting and analysis as well as IOCs. This threat intelligence reporting will cover all levels (tactical, operational, and strategic). This threat intelligence may contribute to some limited hunting.
HTM2 organizations will be able to conduct routine threat hunting. Hunting activities are limited to unstructured hunting, and more basic analysis methodologies. Organizations at HTM2 will still rely on unstructured (or data-driven) threat hunting. But, these organizations may also try limited hypothesis-based hunting.
HTM3 — MATURING CAPABILITY
Organizations at HTM3 in our threat hunting maturity model will have good visibility into their environment at both the network and endpoint levels. This type of organization may also being to put in place automation platforms like SOAR. These tools will automate manual processes for security analysis and hunting.
HTM3 organizations will likely have moved away from traditional SIEM tools. Instead, these organizations are very likely to have data like platforms in place. These platforms rely on hunting and detection content. HTM3 organizations will likely develop their own threat hunting content. This content originates from their knowledge and experience.
Another major difference with HTM3 organizations is their analysis methodologies. Analysts in HTM3 organizations will use a balance of structured and unstructured hunting.
Threat intelligence in HTM3 organizations will be organization-specific. This allows organizations to produce targeted intelligence-driven hunts. These hunts will focus on tools, techniques, as well as actors and threats targeting their organization or vertical. Organizations will continue to ingest threat feeds, but will be very selective on the feeds used. These feeds should provide hyper contextualization and mapping to specific industry frameworks.
Organizations which achieve HTM3 often find that their team consist of only a handful of hunters. As a result, those teams are may experience challenges when resources move on.
Large organizations will often be incapable of sustainable, repeatable, and rigorous threat hunting. This is due to time constraints presented by primary hunting activities. Teams won’t have time to focus on tasks such as threat detection content creation and playbooks development. HTM3 organizations are able to focus on sustainable threat hunting of high complexity.
HTM4 — FULLY MATURE CAPABILITY
An organization which has developed to HTM4 in our threat hunting maturity model has addressed its resource issues. This means that the organization is able to maintain ongoing threat hunting operations.
These organizations are able to focus on secondary tasks such as tool and content development. The results of this development are published to the broader community. HTM1 and HTM2 organizations are likely to consume this content.
A CONCLUSION ON THREAT HUNTING MATURITY MODELS
As organizations continue to focus on improving their threat hunting, it is important to provide a concrete roadmap. The Hunt Team Maturity Model (HTMM), a variant of the original threat hunting maturity model, is designed to assist in this process. This helps organizations starting down their threat hunting journey. But it also helps to build a way forward for more mature organizations. Using it, organizations are able to tell not just where they are, but where they need to be and, more importantly, how to get there.