How to Start Threat Hunting

We’ve just wrapped up our first ever Inside the Hunt Virtual Threat Hunting Summit and were blown away by the fantastic engagement from everyone who attended (here’s the replay if you missed it).

Of the many great questions submitted by the audience, one stood out most prominently:

Learning to start threat hunting can be fun, and this image shows threat hunters illustrated in the style of a video game to make the point.

“How do I start threat hunting?”

We’ve seen time and time again that building a threat hunting program is a challenge for companies of all sizes, both due to the relentless demands already placed on security teams and due to the range of skills and expertise required to be effective. We caught up with our threat hunting panelists (and consulted our go-to security operations manual), and came up with the following tips to help you get started:

 

Assemble Your Team

Our panelists agreed: The perfect threat hunter rarely exists. Threat hunting requires skills ranging from threat intelligence analysis, malware analysis, penetration testing, data science, machine learning and business analysis, plus knowledge of all the systems and data in place at the organization. Threat hunters must also be great communicators who can share their findings and help support the business case for continued threat hunting resources. Rather than trying to create (or hire) individual rockstar threat hunters who can do all of this, you are better served assembling a team made up of curious, analytical problem solvers who possess these skills collectively and are interested in developing them further.

Another important trait of successful threat hunters is a desire to keep learning. Threats constantly evolve, so threat hunters must commit to keeping their knowledge up to date by following researchers, engaging in online communities and attending industry forums, allowing them to learn about new tactics and vulnerabilities. 

Our panelists discuss their strategies for sharpening their threat hunting skills.

 

Once you’ve identified your team members, you must put the process and structure in place for them to be able to hunt. Most organizations cannot afford dedicated hunting staff but need to allot committed time for threat hunting. This can be allocated as a few hours per day or week, or people on the team can be tasked with threat hunting for specific time periods on a rotating schedule. 

Does your team lack the skills or the time to dedicate to threat hunting? You may be a candidate for a managed threat hunting service.

 

Get Your Data In Order

Per panelist Andre Ludwig, Chief Product Officer of Bricata, “No data, no hunt.” Having the right logging infrastructure – including detection capabilities across endpoint, network and cloud – is a foundational step to enable threat hunting. Any gaps in your visibility open you up to vulnerabilities that your threat hunters will have no way to find.

These logging tools generally will aggregate data in a data lake, which is where threat hunting is most often performed. Your threat hunters will be more efficient if the data is consistent, structured and flexible for all the ways they want to use it – much of which is driven by auto-tagging using security tools such as a NGFW. Threat hunters typically will require query access to a data lake, APIs and visualization tools to perform their hunts.

 

Develop a Hypothesis, Then Test It

Structured hunting tends to be the most useful approach for organizations. This takes the form of goal-oriented sprints that last no longer than two weeks. Each hunt should start with a piece of intelligence and a hypothesis. This could be a new vulnerability or threat that should be investigated to see if it impacts the organization or an unusual behavior. It could also be as simple as following up on a malware outbreak to make sure it has been fully remediated. Then, threat hunters conduct some form of pen testing, simulation or red team exercise to see what they can discover. Teams may uncover misconfigurations, vulnerabilities and malicious activity through these exercises.

Structured hunting should be process-driven but follow an agile methodology. Hunters should understand what automated processes, alerts and behavior analysis have already been performed on the data so as not to duplicate efforts. Threat hunting can lead down many rabbit holes, which requires agility – but there should be a formal process in place to guide the hunt and pull back from the rabbit holes as needed. If the two weeks are exhausted without progress, then you must move on.

 

Remediate and Document

At the end of the hunt, documentation should be shared with the SOC (and with relevant business stakeholders) about what was done in the hunt and what was learned. If a conclusion was reached, then updated prevention should be fed back into the controls to automatically detect or block the threat. The hunt may also end when the two-week hunt period has been exhausted without a conclusion, which still requires documentation about what was done. 

Our panelists offer additional advice for organizations that want to start threat hunting.

 

Learn More About Threat Hunting

This is just one of the many topics our panelists shared their insights on. Watch the replay of our Inside the Hunt Virtual Threat Hunting Summit today for more useful information and tips that will help level up your organization’s threat hunting capabilities.


Secure Today,
for a Better
Tomorrow
Join us at IGNITE’20