How to Build and Grow an Effective Cyber Threat Hunting Team
Written by Rick McElroy, Security Strategist, Carbon Black
In today’s threat landscape, modern security teams recognise compromise is inevitable, however but doesn’t mean that a breach should be inevitable as well. The majority of threats can be avoided if organisations have good cyber hygiene such as regular patching, upgrades, and the right people and processes in place. To take security to the next level, it’s important to build threat hunting into an organisation’s cybersecurity strategy and culture.
How can organisations learn to be more proactive rather than reactive? And how can we change the culture if we are going to set up a threat hunting capability within our security operations centres (SOCs)?
Threat hunting means to proactively search through data. We’ve been doing this on the network for a long time using network-analysis tools, but modern attacks have caused a contextual problem: there are leaks and evasion techniques that can by-pass tools. For example, sandboxing was big but I believe in two years sandboxing won’t provide any value and won’t be an effective control, because the bad guys understand it.
Threat hunting can be used as a powerful tool not only to detect malicious behaviour missed by other security measures, but also drive a deeper understanding of how malicious software, actor tools, and behaviours work.
Threat intelligence is also a valuable weapon when combined with retrospective analysis, allowing the hunter to uncover previously unknown indicators in historical data. With detailed and complete knowledge, an intelligent strategy can be implemented to proactively detect, respond to, or prevent attacks.
Today’s next-gen SOC needs to be able to fuse together external threat feeds with the knowledge the security team has about their own environment and end users. The good news is that you don’t need big budgets to undertake threat hunting and equip the SOC with a more proactive approach, you can start simply.
Below are a number of pointers to consider:
Change the mind-set of your SOC. Get them to think like a detective. Threat hunting doesn’t need to start with an all-encompassing approach. The security team could start by look at one particular incident. The website Threathunting.net provides all kinds of open source process scripts to find information and is a good place to start for free.
Centralise your data. The SOC needs to centralise all its data – SIEMS, logs, tools, this all needs to be consolidated and correlated. In particular, look at the mean time-to-detect and mean time-to-respond – these are the two key metrics that matter.
Recognise this is a process issue. Security teams should not only centralise their data but also activate directory logs, e-detection and response tools. They should consolidate what they have and, where possible, get rid of technical debt and normalise their environment from the endpoint to the network.
Think through use cases. List out a couple of strategic projects to start. Provide the team with a data set. For example, pick an endpoint, pick a network, or pick a small data centre.
View this as an agile, iterative process. Get the team to come back with problems. Prove the model and then show how you can now do the job faster. Once you have done a hunt four or five times, the team will start to adopt hunting behaviour.
Allocate time for threat hunting. Look strategically at time. The security team should review the low-value security activities they undertake and reallocate that time. This means saying “no” to some activities.
Show the value of threat hunting. If you want the organisation to adopt a threat hunting culture, you need to be able to show the ROI on your activities. “I’m saving XX amount of money by performing this activity, so we won’t have to go out and buy YY more technology.”
Over time, the security team needs to perform these tasks faster to move at the speed of the attacker. Likewise, they need to consider people, process, then technology – most vendors will say technology first. And, finally, to threat hunt successfully you need a team that is interested and incentivised to do threat hunting, so make sure they are rewarded in the right way.
Once the organisation has a simple approach in place, then it’s all about replicating the approach so the team can perform threat hunting faster each time. And this is where technology comes in as the organisation looks to scale its threat hunting capabilities and automate. Orchestration and automation are the next step in building out the threat hunting capabilities of a modern SOC.
Ultimately, organisations often think that security will stop them from driving initiatives forward. If security teams take the steps outlined above, this perception should start to flip to the point where the organisation actively seeks security’s involvement.