Ransomware

Five steps to effective threat hunting  

Threat hunting can benefit organizations by improving security posture and overall vigilance, cultivating a culture of proactive risk management and mitigation, and adding greater visibility of the attack surface and adversary tactics. Here are five steps to doing it effectively: 

  1. Measure existing threat hunt maturity. How mature is your organization’s threat hunting capability? Conducting an audit of one’s security posture and SOC environment is a good first step to understanding if the organization is ready for threat hunting. Organizations can also evaluate their readiness by using a cybersecurity maturity model and collecting insight from various frameworks and threat databases.  
  1. Decide on the right threat hunting approach. Once organizations have a better reading on their threat hunting needs and goals, they can begin looking for an arrangement that’s right for them. Part of that is deciding whether to cultivate threat hunters from within, outsource threat hunting to a third party, or set up a hybrid arrangement of in-house and out-of-house expertise.  
  1. Address the skills gap. Threat hunting is a chiefly human exercise, and organizations need to budget accordingly to attract skilled professionals.  

  1. Address the tech gap. For threat hunters to be effective, they need full visibility of the network and the tools to search it. The right technologies can grant that visibility, but they can also add more difficulties if they fail to mesh with personnel structures and policies. Organizations might consider using an eXtended threat and response (XDR) platform that natively integrates threat hunting tools into one package, along with providing a dashboard interface to explore threat signals and other vulnerable assets. 
  1. Develop and implement an incident response plan. As threat hunting operations grow, security managers must develop a living incident response plan that can accommodate any changes in protocols as it relates to detection, reporting, triage and analysis, containment, and post-incident cleanup. 

For more on the subject, see the SCMedia eBook “Threat Hunting Essentials: How to Craft an Effective Process.”

Bill Brenner

Bill Brenner is VP of Content Strategy at CyberRisk Alliance — an InfoSec content strategist, researcher, director, tech writer, blogger and community builder. He was formerly director of research at IANS, senior writer/content strategist at Sophos, senior tech writer for Akamai Technology’s Security Intelligence Research Team (Akamai SIRT), managing editor for CSOonline.com and senior writer for SearchSecurity.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.