Thursday, October 10, 2019

Creating Measurable Cyber Threat Hunting Outcomes

Threat hunting is an activity in which cyber security team members proactively look for indicators and artifacts of potential compromise that may not be covered by existing tools or might have bypassed existing controls. It’s the flip side of reactively responding to suspicious events. This can be a value-add activity to any security program. I’m a fan. 

That said, threat hunting also can be an isolated activity that distracts otherwise productive time in pursuit of that ever elusive cool factor around threat hunting. The key is to put threat hunting in the right contexts to be successful. 

Those contexts?

Incident Response.

Automated Observability.

There is no good order for prioritization of these contexts as they are somewhat intertwined. 

Incident Response: Building a threat hunting capability should be the next step after building a robust incident response capability and then it should remain closely tied together thereafter. If threat hunting finds indicators or artifacts of compromise, you’ll need to respond to whatever is found. Threats that just end up on some unprioritized backlog don’t push the cyber security program forward. 

If you don’t have a robust incident response capability, perhaps any time and resources spent on threat hunting might be more valuably spent in building additional capability in incident response. Something to consider at least.

If your incident response maturity warrants a threat hunting capability and you only have the capacity for informal or ad-hoc hunting, results can be rolled right into the regular incident response measures and metrics. 

Automated Observability: Most articles describe threat hunting as a very manual, somewhat undirected process. It can be...both. These same articles and posts invoke mental images of an anlyst pouring through reams of log data looking for…well…whatever they might find. 

A more productive and measurable approach might involve increasing your observability (meaning things that you can see and generate alerts) in an automated way. Codifying your hunts into repeatable SIEM rules and alerts will bring value not just for a given hunt but also provide a rule that will always be hunting even when you are not. No more manual activity needed to find the codified governance activity. 

Rules created as a threat hunting outcomes can also be defined, prioritized, and measured in a way that manual threat hunting can’t. 

How many proactive rules have been created? What are the goals? What is the current and future state of observability?  Which of the new rules have fired?  The sky is the limit.

By investing time in automation, you can clearly show present and future value for the cybersecurity program that would be difficult with a purely manual approach. You can also integrate tightly with threat intelligence indicators, audit results, and any red team input that you might have to prioritize your focus areas for rules. 

Good hunting!

Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


No comments:

Post a Comment