Threat Hunting Program: 5 Best Practices for Success

WHAT IS A THREAT HUNTING PROGRAM?

Suffice to say, threat hunting is a term that gets used a lot in cyber security. Like… a lot. And you’ll often hear words like “proactive” and “iterative” get thrown around alongside it. Unfortunately, many of these definitions are a bit too light on actual details.

5 BEST PRACTICES FOR A THREAT HUNTING PROGRAM

IN A THREAT HUNTING PROGRAM, VISIBILITY IS KEY.

As we have said, a threat hunting program doesn’t rely on a specific platform or tool, instead it relies on people and processes. However, you can significantly improve the results of your threat hunting program by ensuring your hunt teams have access to the right log data. If your organization has mostly focused on traditional block-and-tackle security, this means you are probably going to need to start ingesting a lot more log data. Afterall, threat hunters can only hunt what they can see. This is going to require log data from your security tools, endpoints, and network data. If you want to deep dive into this, we’ve built a pretty comprehensive list for the best log data at the endpoint- and network-level.

BASELINING IS HARD, BUT IT IS WORTH IT FOR THREAT HUNTING PROGRAMS!

Another very important element to a successful threat hunting program is a process called baselining. This is something that every security team should be doing, to some degree or another, but for threat hunting it is absolutely crucial. This is because the behaviors hunters are on the trail for are not always malicious, sometimes they are just suspicious.

NEVER STOP HYPOTHESIZING

As security teams mature their threat hunting program, they often start incorporating hypothesis-driven hunting into the mix. As we mentioned, this type of hunting will start with the assumption that a network has been compromised, using a particular vector, and will eventually narrow down to what “behaviors” you would expect to see from that adversary.

USING HUNTING AS A FORCE MULTIPLIER

A common mistake that security teams make when they first start out threat hunting is to look at threat hunting as an island unto itself. The team hunts, finds, and remediates. The reality is that threat hunting should be used as a force multiplier. When hunters identify something that slipped through, it is critical that actionable detection content be created so that in the future the SOC teams can respond appropriately, and hunters aren’t spending their time hunting the same threats over-and-over.

DON’T JUST “CHASE THE SQUIRREL”

A challenge that a lot of security teams can face is the temptation to only “chase the squirrel” when threat hunting. This happens when a new high-profile vulnerability, malware, or exploit is released, often making the mainstream news media, and especially for MSSPs and MDR providers, is usually accompanied by a flurry of emails and phone calls to find out if clients have been impacted. While this is a tale, in security, as old as time, the reality is that it is also the least efficient use of threat hunting resources. This is because hunt teams should be actively hunting for the behaviors that an adversary would exhibit once they get into an environment. Can they hunt for exploitation of a particular vulnerability?

CONCLUSION

MSSP and MDR providers have become a crucial link in the chain for organizations’ security. And with this has come the realization that traditional reactive security just isn’t enough anymore — and that there is critical need to deliver advanced services like, threat hunting, in order to keep adversaries at bay.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.