THREAT HUNTING MATURITY MODEL: A NEW APPROACH FOR STRUCTURED HUNTING

THE ORIGINAL THREAT HUNTING MATURITY MODEL

Now, many organizations may have heard of the existing Threat Hunting Maturity Model. This was a model developed by Sqrrl back in 2017 and measured key elements of an organizations’ hunting capability, including:

  • the methods and capabilities to visualize and analyze data; and
  • types of analytics available to the data to enhance hunters’ insights into said data.

INTRODUCING THE HUNT TEAM MATURITY MODEL (AN UPDATE TO THE THREAT HUNTING MATURITY MODEL)

Threat Hunt Team Maturity Model
  • The maturity of the threat intelligence that feeds hunting efforts;
  • The types of hunting an organization is capable of performing; and
  • The outputs of the hunt team

HTM0 — NON-EXISTENT CAPABILITY

At HTM0 of our threat hunting maturity model organizations rely only on traditional security controls to drive daily operations. These organizations will likely rely on automated alerting. This alerting originates from the reactive security controls, including

  • Host and network-based intrusion detection and prevention systems (IDPS)
  • Firewalls (FW),
  • Web application filtering (WAF),
  • Web proxying solutions

HTM1 — NASCENT CAPABILITY

Organizations that have achieved HTM1 in our threat hunting maturity model have remedied most of the shortcomings in HTM0. They have increased their visibility into their environment. These organizations will often rely on same controls identified in HTM0 for reactive detection. HTM1 will also start to focus on greater network visibility, especially netflow data. This visibility allows organizations to be able to visualize and analyze network metadata.

  • Blank or missing fields in HTTP traffic
  • Encoded data in the HTTP header

HTM2 — FUNCTIONAL CAPABILITY

Organizations at HTM2 in our threat hunting maturity model will have all the same security controls from previous levels. They will also have addressed the lack of visibility at the endpoint level in the environment. HTM2 organizations will deploy tools to log endpoint activity. These tools are likely to be some form of endpoint detection and response (EDR) platform. Other platforms such as extended detection and response (XDR) and endpoint protection platforms (EPP) may also work.

HTM3 — MATURING CAPABILITY

Organizations at HTM3 in our threat hunting maturity model will have good visibility into their environment at both the network and endpoint levels. This type of organization may also being to put in place automation platforms like SOAR. These tools will automate manual processes for security analysis and hunting.

HTM4 — FULLY MATURE CAPABILITY

An organization which has developed to HTM4 in our threat hunting maturity model has addressed its resource issues. This means that the organization is able to maintain ongoing threat hunting operations.

A CONCLUSION ON THREAT HUNTING MATURITY MODELS

As organizations continue to focus on improving their threat hunting, it is important to provide a concrete roadmap. The Hunt Team Maturity Model (HTMM), a variant of the original threat hunting maturity model, is designed to assist in this process. This helps organizations starting down their threat hunting journey. But it also helps to build a way forward for more mature organizations. Using it, organizations are able to tell not just where they are, but where they need to be and, more importantly, how to get there.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.