For organizations that have serious concerns that they could fall victim to a serious and costly cyberattack, threat hunting offers a proactive and effective way to minimize the chances of unknowingly suffering from an attack for an extended period. But reliable and efficient threat hunting requires expertise, structure, and the right tools for streamlining the process.
How should you go about planning such a critical project? It comes down to three steps. By investing in each of these planning steps up front, your team can prepare itself both to execute the threat hunt relatively quickly and to ensure that the threat hunt answers your most urgent questions.
Here’s a look at how to conduct those three steps of the planning process:
1. Define your threat hunt
Before an analyst from your team can get into the heart of the threat hunting plan, it’s important to answer two critical questions that will drive the threat hunt: Why are you about to conduct a threat hunt, and which possible threat will you focus on? Each hunt should focus on one specific threat and address one main question.
Next, the cyber threat detection analyst defines the scope of the threat hunt. This process starts with identifying your assumptions about the hunt and laying out your hypothesis based on your threat intelligence.
The key to developing an effective hypothesis is answering another critical question: If the threat that you’re worried about happened to you, what evidence would there be? For example, let’s say threat X uses tools that typically leave the registry key “gotcha” in location Z. If threat X happened, I would expect to find the key “gotcha” at location Z. I care about threat X on servers A, B, and C. Final hypothesis: If key “gotcha” is at Z on servers A, B, or C, I might be suffering from threat X.
After your team articulates their hypothesis (and maybe sub-hypotheses) for each threat hunt, they can determine which elements of your environment to search.
The last component of defining a threat hunt is laying out its limitations. For this step, it is important to consider questions including the following:
What timeframe will the threat hunt consider?
What environments should it not consider?
Do you have any relevant legal, regulatory, or contractual constraints?
Do you have any technical limitations that could constrain the threat hunt?
What is the deadline by which you need to have the threat hunt completed?
2. Equip your threat hunt
To make threat hunting viable on a scalable, ongoing basis, your team will need to operate with the efficiency that comes with the right technological tools. Using the most effective digital solutions can accelerate a threat hunt by more than 20 times.
The time to make sure you have those tools in place is before you start collecting data for a threat hunt. You’ll want to consider three types of tools here: threat intelligence sources, telemetry-based technologies, and automation solutions.
When it comes to threat intel, there are a wide variety of tools that gather information in different ways and from different sources. Depending on your inventory of information assets and the hypothesis (or hypotheses) driving your threat hunt, you may want to use any or all of the following hunting strategies:
Solutions (including automated feeds, investigative portals, or both) offering you threat intelligence gathered from the deep and dark web.
Open-source threat intel feeds.
Information provided by major cybersecurity vendors, such as antivirus service providers.
Insights gathered from publicly available media, such as cybersecurity blogs.
General-purpose search engines.
3. Complete, review, and finalize your threat hunt plan
Having defined the threat hunt and which tools to use, you are ready to begin building a threat hunting program. The rest of the questions that should be answered before starting the data collection phase. These should fill in the remaining gaps in your plan.
It’s a good idea to start by answering the most basic questions:
Who will conduct the threat hunt?
How will they conduct it?
When will they conduct it?
Where will they conduct it?
What resources will they use to conduct it (including the tools you have selected for the hunt)?
After answering these questions, you will want to clearly define your company or organization’s change control process and any legal oversight, and how these factors will affect the threat hunt. You’ll also want to lay out a schedule for the hunt.
Then comes the last step before getting into the heart of the threat hunt: the review process. The idea here is to ensure that your plan is workable, appropriate in light of your hypothesis and sub-hypotheses, and cost-effective. You should involve somebody besides the analyst who made the plan here, minimizing the chances that biases compromise the plan’s effectiveness and reliability.
After you have completed and finalized your threat hunting plan, you’ll be ready to start carrying out that plan.