Getting Ready to Hunt for Threats
Learn how to prepare to hunt for threats in Part 2 of our Guide to Threat Hunting series.
Our first post in the series covered some of the fundamental concepts of threat hunting. Once you understand cyber threats and have established reliable (internal and external) sources of threat intelligence, it’s time to start preparing to hunt for threats. Here’s how.
Build an Incident Response Plan
Having a threat hunting program means that you’re inevitably going to find some threats and probably some full-fledged security incidents as well. As a result, it’s critical that you have an incident response plan in place before you start threat hunting. Whether your organization has a formal IR program or simply IR procedures, it is imperative to have a prescriptive method of responding to events and alerts in a controlled manner. Develop an incident response plan that outlines preparation, detection and reporting, triage and analysis, containment and neutralization, and post-incident activities. This will help everyone avoid panic mode when your threat hunting team is successful!
Take a Flexible Approach to Threat Hunting
While incident response is best pursued as a well-accepted, business-wide initiative, your approach to threat hunting should be an effort centralized to your information security team. Threat hunting is less formal and more mission-oriented. It is a commitment to take a more proactive approach to identifying cyber threats to the organization, and to actually act on those threats sooner rather than simply waiting for an alert to go off.
While cyber threat hunting isn’t exactly looking for a needle in a haystack, your efforts need to remain a bit more flexible and a little less formalized than incident response. There will be fewer boundaries when following where the hunt leads you.
To Know Your Adversary, First Know Yourself
At my last job, we outsourced our IT administration to a third party vendor. Basically, they would authenticate each day to our network to conduct day-to-day maintenance activities on each of our servers. One day I was hunting through logs and noticed something strange. The third party vendor was accessing a subnet that they weren’t responsible for. Upon further investigation I had discovered that the vendor had been compromised and an adversary was leveraging the trusted connection between our network and theirs to move laterally into our environment. The advice here is to never underestimate the importance of contextual knowledge and awareness of your own environment to recognize threats as they occur.
4 Steps to Get Ready
Before pursuing an active cyber threat hunting initiative, complete these four necessary actions:
- Build an architecture: Your organization must be capable of planning, establishing and maintaining its systems with cybersecurity in mind.
- Implement passive defense: Systems such as intrusion prevention should be added to your base architecture to provide a reliable defense against threats (once configured) without needing consistent human interaction or intervention.
- Develop active defense: Define processes for human analysts to monitor data internal to the network, triage any advisories, and respond actively to any incidents to contain and neutralize threats.
- Drive intelligence: Finally, data collection should be used to learn how the organization can better exploit information for insight and internal intelligence.
Keep Your Eye on the Prize
Successful cyber threat hunters should know the value and the limitations of threat intelligence. Every organization may have its own misconceptions or internal biases. Understanding these up front will help your security team avoid the pitfalls of wasted time and resources spent chasing down alerts or false positives that really don’t matter to your business.
Once you’ve completed these steps, you’ll be ready to operationalize your threat hunting efforts. Keep an eye out for Part 3 of this series and in the meanwhile check out our eBook on threat hunting for more tips.