How do we know what to hunt for? Defining the hypothesis can help answer this question because it defines the threat and its traits.The definition will help set the vision for what they hope to achieve. What is threat hunting to us? Again, it’s critical companies pick a definition that resonates with them.When creating a threat hunting program, it’s important to ask the right questions. Top Questions to Ask About Threat Hunting In their framework, John, Sameer and Grifter explain the components of an effective and ineffective hypothesis.
A threat hunter’s job is to try to find it. An alert doesn’t exist for the malware yet. They would look for the ‘y’ and ‘z’ evidence to detect it. Threat hunters can then use that hypothesis when looking for the malware. For example, if you say, “I know malware ‘x’ exists,” you can then generate a hypothesis that states, “If malware ‘x’ was executed on my system, then I should be able to collect evidence ‘y’ and ‘z’ to prove that the malware is there.” In other words, if there is malware “x” it will look like “y” and “z.” It’s proactive, testable, and based on a hypothesis. Threat hunting entails much more than alerts. Some companies build a threat hunting program that’s predominantly based on alerts. Creating one mission statement for the program can help establish a consistent process. Companies should know the stakeholders involved, their roles and how those roles are impacted by the engagement. It’s hard to justify a threat hunting investment without knowing the goal and actions to take to ensure success. Threat hunting exercises are part of a business unit, and like anything else require defined processes for technical and business-focused stakeholders alike. Building a Hypothesisĭespite the thousands of definitions, one component of threat hunting doesn’t change - the non-technical pieces are just as important as the technical ones. I asked them to provide a high-level summary of the talk. They will present it at the 2022 Black Hat conference. To fill the framework gap, the X-Force team built their own. If an organization can’t define what threat hunting means, how will it know if its team is being successful? How will the team carry out the right vision of what threat hunting should entail? Companies must set their definition of threat hunting, its goals, why it’s important for them, and how they can direct their threat hunters to carry out their vision before they build a program.
Even the definition of threat hunting had a thousand different explanations. They looked for technical and non-technical documentation and couldn’t find anything. They searched publicly available sources for a central place that covers the operational pieces of threat hunting, including what an internal team looks for, processes that ensure a program’s success, and an overall definition of threat hunting and potential outcomes.
HIGHLIGHT CAP HOW TO
Security leaders often ask our X-Force team, “Can you teach us how to do threat hunting? Are there any resources that can walk us through this?”Īfter hearing those questions repeatedly, Grifter, X-Force Head of Research John Dwyer and X-Force Global OT Incident Response Lead Sameer Koranne did some exploring. What are the components of a program? How do you measure its success?ĭespite the increasing demand for threat hunting, a prescriptive framework, which isn’t tied to a vendor, is hard to come by. The post highlighted why threat hunting should be a baseline activity in any environment.īefore you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. All Rights Reserved.You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team.
0 kommentar(er)
