We hear it from our customers or in conversations at trade shows all the time: It would be great to hunt cyberthreats, but there is simply not enough time or resources to pull it off effectively. Larger organizations with big security budgets often make hunting cyberthreats part of the incident response process or even have a dedicated threat hunting team. But for many organizations, it seems daunting to even know where to begin.
Despite these common challenges, threat hunting is incredibly important in today’s cyber landscape. A proactive cyberthreat hunting program can help analysts uncover unknown threats in the environment and gain a deeper understanding of the organization’s technical landscape. But the fact remains that getting a proactive and efficient threat hunting program off the ground can be a challenge for many organizations. What can they do to get started?
5 Tips for Building a Threat Hunting Program
A new SANS Spotlight titled “Thinking Like a Hunter: Implementing a Threat Hunting Program” dives into this challenge and explores how organizations can increase their maturity and start a successful threat hunting program. The paper provides a few key steps that security teams can follow to make their security more effective through threat hunting. Here are five key tips from the report.
1. Know Thy EnemyBeing purposeful about how you go about accomplishing a task may seem obvious (and applicable to many aspects of life), but it's still an important one to remember for threat hunting. The report outlines the importance of understanding various attacker techniques and applying them to your security efforts. This feels like a crucial place to start because it will make hunting cyberthreats much more concentrated and effective.
A technique to learn about the enemy is often referred to as red teaming. This has been used within the intelligence community and military for decades to think one step ahead of attackers. While the term "enemy" in military and intelligence settings could refer to a nation-state actor or severe threat to national security, the same term for the private sector could mean cybercriminals, fraudsters and anyone that is attacking an organization for their own gain.
Thinking like the enemy is an effective way to understand the organization's attack surface area and find ways to counter attackers before they strike. Leveraging resources such as authorized knowledge, information from previous incidents and external intelligence will help you better understand your enemy.
2. Learn What You Don't KnowAnother key point for teams to understand goes along with understanding cyberthreat techniques — being aware of what you know and what you don't know. When starting a threat hunting program, the team should be able to quickly understand what is visible and what isn't. That visibility may be obvious to most, but identifying the gaps will give the team a clearer path to exploring the organization. Start with what you know and investigate what is visible, then go back to the hidden parts of the network as more information becomes available. The team can double back as the visibility increases, giving you a solid plan for finding more and more information as the hunting goes on.
A popular starting point for a threat hunter is the MITRE ATT&K framework, which can help you understand tactics, techniques and procedures (TTPs) as well as what is happening in your network. Using the MITRE ATT&CK framework benefits the security operations center (SOC) in many ways other than just guiding a threat hunt. It can also help security analysts determine the coverage and detection capability (or lack thereof) and the overall impact using adversaries' own behaviors.
3. Start SpecificallyOnce the information landscape has been set and there is a clear picture of the known and unknown, the team can start carrying out hunts. The SANS spotlight recommends launching hunts that target specific attacks initially. That way, you can examine a particular threat actor or threat and then model the next hunt after the information learned. This type of purposeful action can help track malicious activity faster and provide some early wins for the team.
Additionally, hunting this way provides you with a full threat hunting cycle: Identify a threat, investigate how to take action, mitigate the threat, reflect on lessons learned and apply those lessons to their next hunt. This isn't an end-all-be-all approach, but it is a good way for a team that's just starting to threat hunt to make the best use of what is available to them — and it doesn't require a massive budget or full-blown threat hunting team.
4. Head on a SwivelWe know that attacks are constantly evolving and getting more complex. While it can be daunting from an incident response perspective, just being aware of this factor can be a huge advantage. When launching a threat hunt, understand that the information you have discovered about a particular threat or bad actor could change rapidly and could soon be old news.
At the same time, cyberattackers can always go back to old methods, so keeping old information is also crucial. The bottom line is that you should always have your head on a swivel and don't just rely on the information you know. Much like a security team’s blind spots, acknowledge it and fill in the gaps when information becomes available.
5. Help Is Out ThereOne of the simplest but most important things to remember is that you should make the most out of the help available to you. Just looking internally at network data is not enough to have a successful threat hunting program. Hunting teams should be equipped with external data sources and tools to validate and enrich the things they are seeing from inside the network, quickly validate false positives and distinguish minor, one-off threats from larger ones. Remember that help is available to your team and can make a huge difference when just getting the program off the ground. You are not alone in this hunt.
Your team may also want to consider help in the form of an individual solution. A threat hunter needs to be able to reach into their toolbox for solutions that enable them to be proactive. We consistently hear from customers and prospects that their analysts have too much data and not enough time or resources to investigate all of it, and the tools they have are too siloed. A way to combat this and be more effective is to employ a link analysis solution for threat hunting. The SANS Spotlight explains how link analytics for threat hunting can help with visualizing and displaying relationships. Such a tool is invaluable to a threat hunter when employed correctly.
You're On Your Way to Becoming a Threat HunterWe often see customers make great strides and improve their overall security posture greatly with threat hunting. The switch from being too reactive to more proactive is certainly a big one and can seem daunting, but with a carefully constructed process can make all the difference. By refining your reactive cyber investigation process using proactive hunting methodologies, adding in some proactive threat hunting exercises and following the advice above, your security team can implement a robust program over time and overcome challenges posed by the skills shortage and lack of budget.
Learn more about threat hunting.