Threat hunting is an activity in which cyber security team
members proactively look for indicators and artifacts of potential compromise
that may not be covered by existing tools or might have bypassed existing
controls. It’s the flip side of reactively responding to suspicious events.
This can be a value-add activity to any security program. I’m a fan.
That said, threat hunting also can be an isolated activity
that distracts otherwise productive time in pursuit of that ever elusive cool
factor around threat hunting. The key is to put threat hunting in the right contexts to be
successful.
Those contexts?
Incident Response.
Automated Observability.
There is no good order for prioritization of these contexts
as they are somewhat intertwined.
Incident Response:
Building a threat hunting capability should be the next step after building a
robust incident response capability and then it should remain closely tied together thereafter.
If threat hunting finds indicators or artifacts of compromise, you’ll need to
respond to whatever is found. Threats that just end up on some unprioritized
backlog don’t push the cyber security program forward.
If you don’t have a robust incident response capability,
perhaps any time and resources spent on threat hunting might be more valuably
spent in building additional capability in incident response. Something to consider at least.
If your incident response maturity warrants a threat hunting
capability and you only have the capacity for informal or ad-hoc hunting,
results can be rolled right into the regular incident response measures and
metrics.
Automated
Observability: Most articles describe threat hunting as a very manual,
somewhat undirected process. It can be...both. These same articles and posts invoke
mental images of an anlyst pouring through reams of log data looking for…well…whatever
they might find.
A more productive and measurable approach might involve
increasing your observability (meaning things that you can see and generate alerts) in
an automated way. Codifying your hunts into repeatable SIEM rules and alerts
will bring value not just for a given hunt but also provide a rule that will
always be hunting even when you are not. No more manual activity needed to find the codified governance activity.
Rules created as a threat hunting outcomes can also be defined,
prioritized, and measured in a way that manual threat hunting can’t.
How many proactive rules have been created? What are the goals? What is the current and future state of observability? Which of the new rules have fired? The sky is the limit.
How many proactive rules have been created? What are the goals? What is the current and future state of observability? Which of the new rules have fired? The sky is the limit.
By investing time in automation, you can clearly show present and future value for the
cybersecurity program that would be difficult with a purely manual approach.
You can also integrate tightly with threat intelligence indicators, audit results, and any red team input that you might have to
prioritize your focus areas for rules.
Good hunting!
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment