Threat hunting is the practice of proactively searching for and looking beyond known alerts or malicious threats to discover new potential threats and vulnerabilities that are lurking undetected in a network.
How do you get started building a threat hunting program for your organization? Mark Brozek’s blog post on How to Start Threat Hunting has a key paragraph, that I believe is the best way to plant the seeds for this program: Develop a Hypothesis, Then Test It.
Structured hunting tends to be the most useful approach for organizations. This takes the form of goal-oriented sprints that last no longer than two weeks. Each hunt should start with a piece of intelligence and a hypothesis. This could be a new vulnerability or threat that should be investigated to see if it impacts the organization or an unusual behavior. It could also be as simple as following up on a malware outbreak to make sure it has been fully remediated. Then, threat hunters conduct some form of pen testing, simulation or red team exercise to see what they can discover. Teams may uncover misconfigurations, vulnerabilities and malicious activity through these exercises. Structured hunting should be process-driven but follow an agile methodology. Hunters should understand what automated processes, alerts and behavior analysis have already been performed on the data so as not to duplicate efforts. Threat hunting can lead down many rabbit holes, which requires agility – but there should be a formal process in place to guide the hunt and pull back from the rabbit holes as needed. If the two weeks are exhausted without progress, then you must move on.
Mark Brozek on How to Start Threat Hunting
Threat Hunting Data
Threat hunting requires both data and people. Andrew Ludwig summarizes this best as ‘No data – no hunt’. Data can come from a wide variety of sources, including logs from on-premise solutions or vendor tools that provide data that allow you to interact and explore.
Threat Hunting Skills
A large number of sites reference required skills for threat hunting as ranging from programming, threat intelligence analysis, malware analysis, penetration testing, data science, machine learning and business analysis. However, what’s most important is a team or individual with a desire to question the why and possibility of an exploit through creative problem solving and the lens of “I wonder what would happen if this …” based on the sound knowledge of all the systems and data in place at the organization. Furthermore, good threat hunters must be able to communicate and share their findings, to build a business case for adequate help for continued threat hunting resources and related remediation activity.
Threat Hunting Tools
- Security Monitoring Tools and Data from products such as firewalls, endpoint and data loss protection solutions
- Analytics Tools such as PowerBI provide a visual report that aggregates the log data and make it easier to correlate entities, visualize and interact with the reports and then detect patterns.