WHAT IS STRUCTURED THREAT HUNTING?

UNSTRUCTURED VS. STRUCTURED THREAT HUNTS

Structured threat hunting stands in contrast to the more prevailing method of unstructured (referred to variously as adhoc or data-driven hunting) threat hunting.

CREATING A THREAT HUNTING HYPOTHESIS

When an organization creates a threat hunting hypothesis around which a hunt will be structured, they utilize threat intelligence capabilities to uncover actors or threats that are likely to target the organization, their industry, their geography, or even specific elements of their critical IT infrastructure. By prioritizing these potential threats and using threat intelligence to break down how the threats are known to operate and what TTPs they use, then a threat hunting team can create testable and scientific hypothesis.

DEVELOPING A HUNT PLAN

Establishing a hypothesis is just the first step in beginning a structured threat hunt. To get this type of hypothesis-based threat hunting right, a team will also need what’s called a hunt plan. The hunt plan sets a course for the threat hunting techniques and methodologies the team will use to prove, or disprove, the hypothesis. The plan should be a formal document that will often include:

  • the log sources required (or the blind spots and alternative log courses),
  • approvals from all of the relevant stakeholders,
  • points of escalation and contingencies in the event of either breaking something in the process or discovering a security incident,
  • points of handoff in the event that threat hunters need to hand off discoveries to incident handlers, responders, or other relevant authorities in an organization,
  • findings from the hunt, and
  • points for improvement from any feedback sessions or after-action reviews.

CONCLUSION

As organizations continue to mature their threat hunting programs, it is vital that they move away from relying exclusively on ad hoc unstructured hunting, and instead incorporate structured threat hunting so as to improve their ability to detect threats, as well as more consistently identify advanced actors and techniques.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.