How to start Threat Hunting (even if your team is small!)

Common Pitfalls

As with many trends in infosec, management will always be pushing the latest and greatest security technologies or fads before they have mastered the basics. Unfortunately, Threat Hunting is no different.

Trying to fly before you can run

This is the most important point for small teams. If you are being asked why you or your team aren’t threat hunting, don’t feel pressured to drop everything and start. Threat Hunting is a mature function which requires lots of resources and visibility into the business. There are many fundamental controls and functions that blue teams should tackle before addressing hunting. Threat Hunting probably falls into the Intelligence/Active Defense tiers of The Sliding Scale of Security by Robert M. Lee which demonstrates the value vs cost of security functions.

The Sliding Scale of Security — Robert M. Lee

Process

You may be asked in a common knee jerk reaction, “I heard about X threat, are we okay?” and “Did you see any abnormalities in the network” etc… Threat Hunting isn’t just a reactive process. It requires planning and time to proactively and methodically search in the enterprise. Those questions could be a catalyst to organise a hunt, but don’t let open-ended questions from management rush a hunt!

Data, data, data

Hunting without data or a way to generate the datasets you need is a major problem. Having access to logs or support from the business to get what you need is a must.

Full Automation

Putting it simply, if we could fully automate threat hunting, then it would be just another detection method like a SIEM rule. This undermines the main reason to hunt; to find threats that weren’t detected by existing controls. This doesn’t mean you shouldn’t automate data collection or data processing, it just means there will always require a human doing the analysis.

Getting Started

Let’s get started! There are other threat hunting process frameworks, but I’ve tried to keep it as simple as possible to maximize accessibility by extending the simple 3 step process by Joe Ten Eyck (Building a Threat Hunting Framework for the Enterprise).

1. Prepare

What are we looking for? Where do we find it?

  • Start researching and understanding the TTPs associated with the hunt,
  • And start to scope out the data required (Can you get the data you need?)
  • Situational awareness
  • Domain expertise

2. Find

How do we find it? Can we test it?

  • Requires time for experimentation and data acquisition/analysis
  • Assess visibility and current controls via Atomic Red Team tests (see below)
  • Assessing existing controls and detections to provide feedback loop during hunting.

3. Communicate

Review the hypothesis, document findings and present to the team. The output of each hunt can vary immensely. It may include one or more of the examples below:

  • New detection rule in SIEM based on analytics created in hunts
  • Update to Group policy to harden identified gap
  • Identified gaps in visibility that affected the hunt
  • Lessons learnt and reflection for the next hunt

TheTheatHuntLibrary

So now you know what you need to do, where do you go from here?

Documentation

An important part of Threat Hunting sustainably is to create clear and concise documentation, in case someone needs to repeat your work, or take over from where you left off.

Conclusion

I hope this gives people out there a bit of a kick start if they haven’t gotten around to starting to threat hunt as there are many merits to having this function as part of your blue team exercises.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store