September 21, 2021

How to Mature Threat Hunting Programs

Having threat hunting capabilities is becoming a standard for most cyber security programs. The traditional approach of assuming detections/blocks will suffice and having a reactive process has buckled under the recent attacks, especially ones that leveraged vulnerabilities in the last year. Even top cyber security products have built up their own threat hunting capabilities to enhance their platform.

Top 3 wins when developing a threat hunting program:

  1. Proactive Mindset + Low Repetition  
  1. Forced Detection Growth + Higher Fidelity
  1. Stronger Response Capabilities

There are plenty of benefits to developing a threat hunting program and one of the biggest ones is preventing burn out. Over time analysts will develop alert fatigue and miss threats or start searching for a new job to get out of the continuous loop. Threat hunting lets them leverage their skills and build knowledge of the environment at the same time, which is much less repetitive than focusing solely on handling alerts. Through their work they can identify detection maturity opportunities and/or net new detections based on behaviors they observe and Through their threat hunting activities, the team will continuously gain a broader understanding of the environment allowing them to respond to incidents more effectively and minimize the overall impact.

How to mature your threat hunting program:

When looking at ways to start and/or mature your program you want to break out your maturity in three pieces: People, Process, and Technology. A common pitfall is focusing on only one or two of these. There needs to be a strong balance across all three to have a program that continues to build upon itself. The following breakdown below is a way you can look at setting up different levels across these three pillars. You would want to tweak the levels based on your business and ensure the progression plan is achievable and quantifiable.  

People

Level 1 - Entry - 1-2 Years Experience, SIEM and EDR Analysis and Infrastructure Experience

Level 2 – Junior - 2-3 Years Experience, Detection Creation Experience and Red Team Exposure

Level 3 – Senior - 3-5 Years Experience,  Experience Running Hunts from varying complexities

Level 4 – Principal - 5+ Years Experience, Strong understanding of the environment and multiple years of experience conducting hunts in the environment

Defining different tiers of ‘threat hunters’ internally is a critical step. The fundamental skillsets for a threat hunter would be detection understanding, incident response experience, attacker mindset, threat centric mindset, and threat hunt exposure. It’s a complex mix of skills which is why you will typically want to have a Senior or Principal threat hunter coaching the team members. If that’s not an option enabling a stronger collaboration between teams (e.g., red team, threat intel, etc.) and/or leveraging partners will get you there.

Process

Level 1 - Threat Hunter – Creating and executing hunts. Minimal Tracking/Reporting.

Level 2 - Dedicated R&D Team, Team of Threat Hunters. High visibility reporting.  

Level 3 - Integrated Red Team, Dedicated Detection Team. Mostly Automated Processes.  

Level 4 - Red Team Tests, Focused Hunts, Automated Process/Collaboration.

It’s important to have a simple and achievable process, one that you can continue to automate to increase the impact it has across the team. Often, teams will only focus on the process versus the actual threat hunt, so it’s important that there is a good balance between execution and improvement.

Technology

Level 1 – Basic – SIEM or EDR

Level 2 – Above Average - SIEM + EDR + Firewall + IDS/IPS + Threat Intel

Level 3 – Exceeding Expectations - SIEM + EDR + Firewall + IDS/IPS + DNS + Threat Intel + Scripts  

Level 4 – Defining the Standard - SIEM + EDR + Firewall + IDS/IPS + DNS + Threat Intel + Scripts + Machine Learning + Deep End Point Logs: Sysmon / OSQuery / Tanium

Then finally, technology. Having a strong set of tools will enable better hunting and stronger context. This doesn’t mean you need all the tools and visibility to start threat hunting. You can focus on what you have (e.g., DNS, firewall, etc.) and build upon that as you increase visibility. You may be limited on the ‘people’ portion of the equation and need to lean into what they are familiar with while you build your program.

Steps:

  1. Create your own levels for People, Process, and Technology
  1. Assess the level of where your business currently stands in each pillar

           E.g., three Level 1 employees, and one Level 4 employee  

  1. Identify the biggest steps that would improve your capabilities

            E.g., if you have the resources but lack the automation, would a platform enable your team to have stronger outcomes?

  1. Create Analytics / Reports around the team’s maturity and outcomes
  1. Rinse and Repeat

The above steps would be one approach, it all comes down to being efficient and reporting the required data to leadership to show the value of investing in your threat hunting capabilities.  

In conclusion, Threat hunting is not an easy or quick challenge to take on, however, it is an important challenge to address and build upon. We will be posting additional blogs that dig deeper into the topics touched on throughout this blog (people, process, and technology). We are also available to augment your capabilities, provide a maturity review, and/or help you build your program.

If you have questions about threat hunting or need help with a current incident, you can contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

Michael Rogers

Michael Rogers is a Sr. Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a master’s degree in cyber security and is accredited through SANS for the GCFA, GCIA, GDAT, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 

HOW WE CAN HELP

Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More