Gartner defines ‘Threat Hunting’ as “an analyst-centric process that enables organizations to uncover threats missed by automated preventative and detective controls”. Its security analyst centric versus technology centric. Organization invested heavily on market leading security technology components can’t ignore the importance of human element with skilled expertise ‘hunter’ to perform the threat hunting that complements the traditional security operations detection capabilities.
Threat Hunting capability development framework
IT security leaders should adopt well defined framework depicted in below diagram to develop threat hunting capabilities.
Business executives and cross functional leaders should understand the outcomes of threat hunting – as it lies beyond current security monitoring and detection capabilities. The purpose of having threat hunting is to make business see unknown cyber threats and prepare organization to enhance incident response processes.
As per the framework – Organization to define the objectives of having threat hunting capability that includes scenarios determination (such as IR engagement refinement, Situational awareness, M&A due diligence, Determine the unknowns, etc.); frequencies (one time or periodic or continuous threat detection); scope boundaries (volume of endpoints, network ingress/egress points).
The development of capability depends on the objectives and desired outcomes by implementing security tools (such as EDR, SIEM, NDR, NTA, etc.); to recruit/ up skill right talents or outsource to skilled provider; document threat hunting process, procedure, guidelines and ethics. Bringing it to life with operations require hypothesis design to conduct search that traditional threat detection solutions can’t discover using indicators (such as IP address, domain, hashes, etc), watch lists, TTPs (tactics, techniques, procedures) by adopting best practices (such as MITRE).
Maturity of threat hunting capabilities involve the wider participation within organization stakeholder to get prepared during cyber crisis. This requires enhance use cases aligned with real world scenarios to improve continual early detection process.
human element – demonstrate success with threat hunter
Enterprise require professional threat hunters to demonstrate success and should identify the relevant experience, expertise and skill sets. Security Analysts doing threat hunting should have solid understanding of IT environments, business landscapes, and to adhere ethical practices. The recommended qualification, skill set and certification for threat hunter depicted in below diagram
With increased adoption to digital by business and technology advancements consumed by bad actors makes threat hunting a ‘must to have’ program. Cyber threat intelligence enables security analysts with data enrichment, however good programming and coding skills helps threat hunter to uncover the unknowns.