Difference between revisions of "Threat Hunting"

From Socology.org - The Study of Security Operations
Jump to: navigation, search
(Ticketing)
(Reporting)
Line 30: Line 30:
  
 
== [[Reporting]] ==
 
== [[Reporting]] ==
 +
Threat Hunting is a specific service that can provide value in numerous ways to numerous different units inside an organization. The '''proactive''' nature of hunting identifies issues which the organization may not be aware of. Therefore, good communication lines are important as well as strategizing reporting in advance.
  
 +
Reporting can be broken down into two separate levels in the enterprise.
 +
*Internal between security teams
 +
*Metrics and reporting to the enterprise
 +
 +
When creating metrics for Threat Hunting
  
 
== [[Staffing]] ==
 
== [[Staffing]] ==

Revision as of 05:04, 29 October 2018

This section is under development

Objective

The definition is not fully agreed upon, however is described in a similar fashion by multiple sources.[1][2][3][4][5]

"Threat hunting is a proactive and iterative approach to detecting threats." (Lee and Bianco, 2016)

The objective of Threat Hunting[6] is a proactive search of systems for adversaries and compromise. Whereas Continuous Monitoring is a reactive service, Threat Hunting strives to actively search logs, controls, countermeasures and activity to identify signs of compromise before they are detected.

Hunting activity is related to other services as it feeds into Content Engineering, Continuous Monitoring, Log Management and Compliance and Risk Management.

Hunting also receives inputs from Threat Intelligence, Enterprise Intelligence, Content Engineering and Risk Management.

Process

These processes are ranked by complexity, starting with the least complex to the most complex.

  • Known IOC Hunting
"Hunters should be careful about relying too much on IOCs. In the industry today there are many threat data feeds that lack the context to make them true indicators." (Lee and Bianco, 2016)

Tooling

  • SIEM, log management or other log collection and analysis tools
  • Data analytics tools
  • There is a vast array of tools capable of performing threat hunting & assisting with analysis.

Ticketing

From experience, Threat Hunting can be ticketing using multiple methods including existing ticket systems. They should, however, be notated as "Threat Hunting" so that effective metrics can obtained.

In addition, it is advisable to keep records of successful versus unsuccessful threat hunts.

Reporting

Threat Hunting is a specific service that can provide value in numerous ways to numerous different units inside an organization. The proactive nature of hunting identifies issues which the organization may not be aware of. Therefore, good communication lines are important as well as strategizing reporting in advance.

Reporting can be broken down into two separate levels in the enterprise.

  • Internal between security teams
  • Metrics and reporting to the enterprise

When creating metrics for Threat Hunting

Staffing

Budget

Communications

Documentation

Lessons Learned | Pain Points

Citations

Robert M. Lee and David Bianco. 2016. Generating Hypotheses for Successful Threat Hunting. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172

Additional Resources

https://www.threathunting.net/ - Has done a good job of collecting resources and special thanks to them.