Why your threat hunting program building shouldn't stop once the engagement is over
Let's see, it looks like your organization just met an annual Threat Hunting assessment compliance requirement or achieved the introductory objective of experiencing a formal Threat Hunting assessment. Well done! Now, what should the organization take into consideration after successfully completing the assessment? Once a third-party Threat Hunting assessment concludes, many organizations may feel overwhelmed and confused about what Threat Hunting aspects to consider and how to continue with the ongoing operational Threat Hunting requirements.
This blog post will not cover every aspect to consider after a Threat Hunting assessment, but will instead go over some of the common issues I have encountered during assessments. I will identify some of the key Threat Hunting program questions to consider, operational constraints to think about, and some of the staffing requirements an organization should understand before jumping into Threat Hunting activities without the assistance of an experienced third-party.
The intent of this blog post is not to delve into each issue in-depth, but to assist organizations in generating deeper levels of thought and consideration around the complexities of operational Threat Hunting activities. Based on the answers to the questions below, an organization can better ascertain if they are properly equipped and ready to embark on their own Threat Hunting endeavors.
Program Level Areas
To determine whether the organization is prepared at a Threat Hunting program level, it is important to ensure that the organization's Security team and executive leadership are properly aligned. The following list of questions will help to identify existing maturity levels and assist with continuous maturity level building:
- Is there an existing Threat Hunting integration process with SOC and Incident Response processes?
- Is there an existing Threat Hunting workflow established to operationalize the threat detection building and production implementation?
- Has the organization developed a tactical and strategic Threat Hunting plan or basis for activities, such as MITRE ATT&CK, TTPs, etc.?
- Does the organization have proper remediation procedures associated with business process improvements as a result of Threat Hunting findings?
- Does the organization have proper remediation procedures associated with technology misconfigurations as a result of Threat Hunting findings?
- Is there proper alignment between the Security team and executive leadership for establishing success with regard to the Threat Hunting program's return on investment (ROI)?
Threat Hunting Operational Constraints
Threat Hunting entails so much more than just the actual hunting activity. There must be intricate levels of Threat Hunting planning and an understanding of the environment at the operational level before adequate Threat Hunting activities can take place. Some of the notable constraints to consider before Threat Hunting activities begin include:
- Does the organization know what known-good network and endpoint activity looks like within the environment?
- Does the organization know what monitoring blind spots may exist that will reduce the fidelity of the Threat Hunting activities?
- Does the organization know what the critical assets are and where they are located within the network?
- Does the organization have full understanding of all log sources available and how they can be used for added success in Threat Hunting activities?
- Does the organization know what monitoring platforms should be used to perform effective Threat Hunting activities?
- Has the organization established the necessary communications across department lines to work with those who own the monitoring tools or infrastructure required to meet Threat Hunting requirements or objectives?
Operational Staffing
An organization must understand that Threat Hunting is a special skill that not every analyst possesses. Some of the skills necessary include an in-depth understanding of SOC operations and security infrastructure and logging, the capability to understand offensive, defensive, and forensic aspects of Threat Hunting, and the ability to add valuable process improvement recommendations and uncover existing monitoring and logging misconfigurations to assist in higher fidelity attacker detections. Some of the operational staffing requirements that are important to address before committing to ongoing Threat Hunting activities should include:
- Does the organization currently have the skillset and staffing necessary to meet ongoing Threat Hunting needs?
- If the organization has the current skillset, does staff have the operational bandwidth to assume other roles or responsibilities?
- Does the organization have budget to hire a dedicated or leveraged resource who can assume the Threat Hunting responsibilities?
- Should the organization leverage a third-party to continue handling Threat Hunting requirements?
Closing
As you can see from the information above, there are many aspects that must be taken into consideration to ensure ongoing Threat Hunting program success once an assessment has concluded. Answering the baseline questions above can help shape the understanding of an organization regarding requirements of ongoing Threat Hunting activities and can help to determine whether or not the organization is capable of pursuing future Threat Hunting program objectives without the assistance of a third-party.
Taking a crawl, walk, run approach with regard to Threat Hunting is important. Threat Hunting is a labor and time intensive activity that involves many teams, which is why planning, setting measurable goals, and communicating intent across and up the chain is important for long-term success.
If an organization is not ready to pursue Threat Hunting objectives on their own, TrustedSec is equipped to provide services and training to assist with continued Threat Hunting program maturation.
Remember, you can't hunt what you can't see :)