Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Threat Hunting Tips to Improve Security Operations

From Ferdinand Magellan to Lewis and Clark to Neil Armstrong – humans have an innate desire to understand the unknown. In security operations, we see this phenomenon every day in several forms, one of which is threat hunting. Threat hunting is not triggered by an event, but by the unknown. It is the practice of proactively and iteratively searching for abnormal indications within networks and systems.

From Ferdinand Magellan to Lewis and Clark to Neil Armstrong – humans have an innate desire to understand the unknown. In security operations, we see this phenomenon every day in several forms, one of which is threat hunting. Threat hunting is not triggered by an event, but by the unknown. It is the practice of proactively and iteratively searching for abnormal indications within networks and systems.

Proactive threat hunting has become such an important aspect of effective security operations that it is now one of the top three areas of improvement in Incident Response (IR) that organizations plan to make this year. According to the 2018 SANS Incident Response Survey, 45.3 percent of the 452 respondents prioritize it above developing/improving IR playbooks and automating response and remediation workflows. 

But what does it take to prioritize threat hunting? We all know that you don’t simply decide one day that you’re going to sail around the world or travel 8,000 miles across uncharted territory or head to the moon. You need a well-defined plan and the right resources, aligned to work together. The same is true for hunting threats.  

In general, there are two approaches to threat hunting: 1) An outside-in approach, where you learn of a threat from an external report and hunt for associated indicators within your environment, and 2) An inside-out approach, where you observe suspicious behavior in your environment, pivot to the adversary and external sources to learn more about associated indicators, and then hunt for and find additional indicators in your environment.

Whichever threat hunting approach you’re using, you need a way to ensure your hunting efforts are focused on high-risk threats and that the team is operating efficiently since time is the enemy. These three tips can help:

1. Use context to prioritize. Effective prioritization requires context to understand what is relevant and high-priority to your organization. To help with prioritization lots of threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. But what is relevant to one company may not be relevant to another. You need to be able to prioritize based on parameters you set. Because you have multiple sources of context (external threat intelligence, internal data and intelligence, etc.) you need a central repository to aggregate data and events and manage and automate the prioritization process. With an approach to threat hunting that includes aggregating, scoring and prioritizing within the context of your environment, your high-value resources don’t waste time chasing ghosts. 

2. Don’t go it alone – collaborate. Analysts must be able to conduct investigations collaboratively to search for and compare indicators across your infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. Traditionally, this has been difficult and time consuming to do because teams and tools are often siloed. With a single shared environment, collaboration is embedded into all processes, including threat hunting. Teams can work together to explore every corner of the organization to pinpoint adversary tactics, techniques and procedures (TTPs) and find the malicious activity for total remediation.

3. Never stop learning. Threat hunting must be a continuous process. As new data and learnings are added to the central repository, intelligence must be automatically reprioritized to support ongoing hunts. Teams and tools improve over time, facilitating future investigations, automatically strengthening defenses and adjusting policies to improve detection and prevention.  

Advertisement. Scroll to continue reading.

The desire to understand the unknown has driven humans for centuries. With the ability to prioritize, collaborate and learn, security operations teams can turn the unknown into the known more quickly to create a better, safer future.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.