Being tasked with developing a threat hunting program can be overwhelming and tedious, or it can be really simple if you have the right resources and a clear understanding about the program goals. In November, I was given a new role as a threat hunter for my company. While this was a great opportunity and just what I was hoping for, I had my work set out for me to understand exactly what our company needed in that area. Coming from a background in computer forensics, threat hunting sounded relatively straightforward. However, there is still a lack of clarity around threat hunting as an operation.
Operationalizing something so it is consistent and repeatable is a big task when there aren’t any internal resources to use for development. One of the perks of developing a program from scratch is the ability to craft it into what the business needs. While a lot of threat hunting tools may promise to do the job for you, they are a simplified solution that is created for everyone to use. They aren’t personalized and tuned into the business and department needs. They might be great tools to utilize in the future when the threat hunting program is developed and fully functional, but having the team behind a tool is going to empower your security operations to function at a whole new level.
Knowing what tools are needed for a successful threat hunting program is something that should be identified after the program has been developed and is successfully operating.
What if you don’t have a threat hunting program? Is your company ready for a threat hunting program? What is stopping your team from threat hunting? Understanding the needs of the company and your current security maturity model are the first steps, but often companies think they are limited due to a lack of dedicated resources or budget for tools.
I can attest to the fact that one person can develop a threat hunting program and still complete daily tasks. Treat the program development as a project and dedicate a set amount of time to it each day and you will be amazed by the results. On the other hand, you don’t need a bunch of expensive tools for threat hunting. Sifting through the available resources, however, is a tedious task and since I already had to do it anyway, I am sharing some of my experiences and advice at the ITAC Threat Intelligence Summit in San Diego, California on July 23rd, 2018. While I hope this article can give you the inspiration your team needs to get started, I really hope you can make it to the summit and catch my presentation that is loaded with additional information.
Whenever you research threat hunting, you will find a lot of material. Digging through this material and organizing it into something that is functional is a chore. Luckily, I was able to dedicate the time to complete this task and utilize the material to create a threat hunting manual for our team to use. While the manual was a great first step, there were still other aspects that needed to be covered such as documentation. Documenting a clear plan for each threat hunt, the anticipated schedule, and the threat hunt results are all important to improving the program over time as well as increasing the security of the company.
As someone who loves documenting and metrics, my goal was to make sure that our program was consistent, repeatable, and reportable. I remember one of the first things I asked when I was given my new threat hunting role was how I could report and measure my work as a threat hunter. I was told that threat hunting was an art and was not measurable. I didn’t like that answer, so I set out to find out how others were measuring and documenting their work for metrics. There is not an industry standard, so develop these materials to fit your needs. I will be sharing some of my examples during my presentation.
One of the biggest components of threat hunting is cyber threat intelligence. If you aren’t generating it, you are consuming it in one way or another. The cyber threat intelligence you gather is what should help your team to direct their threat hunt. Understanding the threat landscape and your own environment will help you to understand what an adversary is more likely to target. It would be great to have the time and resources to scour every inch of our environments for potential undetected intrusions, but that is unrealistic.
We need cyber intelligence to narrow the scope of our threat hunts so we can be more efficient and effective. Some threat hunts may return without any evidence of an intrusion, and that isn’t terrible. We have to keep in mind that failure to find evidence to support our hypothesis while hunting is not a failure of a hunt so long as we have sufficient data sources. Threat hunting is also useful for documenting how to detect threats that may subvert our security controls; it can also help us to identify and correct misconfigurations that a security system won’t detect.
These are just a few of my observations and experiences with threat hunting. My team may be small, but we are still able to find success in our hunts and have made the process work for the team. I want to note that experience level, size of the team, or any other potential deterrent you may face in developing a threat hunting program should not factor in to your decision to develop a threat hunting program. I’m new to the cybersecurity field and at the time of development, I was the only analyst operating on the team. Know what resources you have available on your team and assess their skills and potential for the role.
Dedicate small amounts of time each day to research and piece everything together. I am looking forward to the ITAC Threat Intelligence Summit so that I can share more about my experiences while developing our threat hunting program for you to use to develop your own. There are so many great resources out there and I will be highlighting the most helpful for our team and how we are able to utilize them. Developing a threat hunting program may be challenging, but it doesn’t have to be.
Jessa will be speaking at the upcoming Threat Intelligence Summit at MISTI's ITAC Conference in San Diego, California. Here's everything you need to know to attend the event.