Threat Hunting is the next stage of evolution for organizations seeking to advance their cyber defence strategy. It is an indicator that an organization considers its security practices, mature enough, to pro-actively venture out to hunt for threats within their organization infrastructure.
SANS Institute defines threat hunting as, a focused and iterative approach to searching out, identifying and understanding adversaries internal to the defender’s networks. Threat hunters focus their search on adversaries who have those three characteristics and who are already within the networks and systems of the threat hunters’ organization, where they have authority to collect data and deploy countermeasures.
Before engaging into the practice of threat hunting, an organization needs to ensure that they have a robust and mature Security Operations Centre (SOC) and Computer Incident Response Team (CIRT). In terms of resources, an effective threat hunting practice should be comprised of following, at minimum:
Tools:
- Endpoint detection and response (EDR)
- Network forensics tools (NFT)
- User and entity behaviour analytics (UEBA)
- Host forensics tools
- Threat-hunting specific tools
- Threat intelligence
- SIEM and log management
People with following skills in following categories:
- Systems
- Security
- Data Analysis
- Creative Thinking
Data on:
- Environment
- Threats
Gartner defines three approaches an organization can implement to practice threat hunting:
- Long Hunting: A single hunt spanning a day or even a week, essentially a compromise assessment; learn and refine, and then evolve to an ongoing process
- Ad-Hoc Hunting: An occasional ad hoc hunting activity, in between monitoring (at a SOC) or between response activities (at a CIRT).
- Service Provider: Engage with a service provider promising “managed hunting,” likely a managed detection and response (MDR) provider.
The end result of any threat hunting activity is proactive incident response and SOC enrichment. A successful threat hunting practice translates into reduced incident loss and faster incident response as business benefits.
As mentioned above, threat hunting is an advanced security capability that builds upon mature SOC and CIRT. It is analyst-centric and requires people with good understanding of security and creative thinking. Proper business case should be developed before organizations dive into threat hunting.
The following infographic summarizes the above mentioned requirements:
This was a bird’s eye view introduction of Threat Hunting. To know more about Threat Hunting participate in participate in DSCI’s Threat Intelligence and Research Initiative (Ti&R). Drop us a mail at tir@dsci.in.
Threat Hunting would also be discussed actively in DSCI-NASSCOM Annual Information Security Summit (AISS) 2017. To know more about AISS 2017 and registration visit www.dsci.in/aiss-2017/