Is the company monitoring and collecting the right data?
What data should the team keep and for how long?
Does the team trust all the rules, watchlists, and alerts from vendors and third parties?
Validation of true positives. Have the analytics been validated against an actual attack, ensuring that they will detect what’s expected? Without a true positive test case, purple teams are often lulled into a false sense of security as mistakes slip through the cracks. Examples are typos or syntax errors, a misinterpretation or false assumption made by the analytic author, or a misinformed or misrepresented attack in the threat intelligence source.
Confidence. How often do the analytics produce false positives? Make sure the team has an acceptable number of results. As in other areas of security, consider a defense-in-depth approach with multiple analytics covering the same techniques at different confidence levels. And consider the context, intelligence about what activities are “normal” can’t be gleaned from an alert or event log. The team may need to enrich its analytics with other sources of data.
Robustness. How effectively do the analytics detect different variations of an attack? These are often very subtle, like command line parameters being in a different order, or the use of additional spaces. Keep in mind that as an analytic becomes more robust, it also may pick up more false positives.
Common management and leadership. Define collective goals that drive risk reduction across the cyber defense team.
Processes that encourage frequent communication. Break down siloes and encourage integrated approaches to historically separated operational teams.
Metrics that track and encourage collaboration. Incentivize openness in reporting measurements and gamify the experience where possible
Functions that build upon previous activities to remove risk from the system. Take advantage of existing data sources and tools and optimize risk activities across the cybersecurity program portfolio.
Cloud Threat hunting is a proactive approach for finding and remediating undetected attacks in multi-cloud environments. The process involves searching for indicators of compromise (IoC), investigating, classifying, and remediating threats
In a CyberRisk Alliance virtual event, Casey Ellis, the founder, chairman and CTO of Bugcrowd, speaks with SC Media Senior Reporter Joe Uchill about threat hunting while an organization's employees work from home.