For those companies and organizations that have the most at stake when it comes to cybersecurity, threat hunting is a powerful tool for proactively looking for evidence of a cyberattack. But, as we explained in a recent blog post, threat hunting is a complex and resource-intensive process.
How can you streamline this process, so that it becomes feasible to conduct it on a large enough scale to meet your needs? Automation and cutting-edge cyberthreat intel tools can make a powerful difference, but it is also important to take a well-organized, structured approach to threat hunting. That begins even before you start planning for a specific threat hunt, when you gather the information you need in order to decide which threats to investigate and in what order.
With that in mind, here are four steps that can help you create a threat-hunting roadmap reflecting your cybersecurity priorities:
1. Take stock of your critical information assets
The first piece of information you’ll need when planning a threat hunt is likely to be an inventory of your critical information assets. In order to make sure your threat hunt is effective and efficient, you’ll want to perform a cyber threat analysis by assessing relevant data you have, where it is, who can access it, and which safeguards protect it.
The reality is that many companies and organizations carry out threat hunts without following these threat hunting steps and taking a full inventory of their information assets. It is well worth your time to gather as much of this information up front as possible. The more complete your inventory is before you start, the faster and more complete your threat hunt will be.
An ideal inventory should cover all of your critical data and provide the following details (or as many of them as possible):
Physical and logical topologies.
Network device information (make, model, OS version, and configuration).
Security control information (make, model, OS version, and configuration).
Host information (make, model, hardware configuration, and OS version and configuration – as well as the names, versions, and configurations of any applications on that host).
Pan-host/pan-infrastructure information for hypervisors, content management systems, data interchange systems, etc. (including versions, security controls, and access lists).
Data flow between apps and hosts for business solutions.
Access controls for all of the above.
Access lists for all of the above.
Locations, types, and formats of logs for all of the above.
Primary points of contact for all of the above. (In today’s cloud-centric world, this likely encompasses multiple service providers.)
2. Rank your most critical assets in order of importance
After you’ve created an inventory of your information assets, your next step is determining which of them it is most important to protect through threat hunting. In a large and well-funded organization, this is typically done either in a risk assessment or by a risk management program.
Which assets are most important to protect? The answer varies widely from organization to organization, based on specific needs, goals, and threats. For example, one company may be most concerned with its financial accounts, while another may be more focused on protecting its intellectual property.
3. Identify the most urgent threats to your organization
In addition to knowing which data assets you need to protect, developing a threat-hunting roadmap requires you to have a sense of what threats are out there that may impact your organization. You can get a snapshot of the latest and most urgent threats to watch out for by relying on a cyberthreat intelligence feed such as Cybersixgill’s Darkfeed, which automatically provides real-time updates on threats identified on the deep and dark web. This kind of feed can also be used in conjunction with auto-block rules, enabling you to automatically protect yourself against obvious threats in real time, without relying on a threat-hunting or IT team.
If you have enough cybersecurity resources to support a threat-hunting team, then an investigative research portal is likely a worthwhile investment for you. With a solution such as Cybersixgill’s Investigative Portal, you can take a highly tailored approach to both searching for threats and setting up automatic alerts, based on your industry’s threat landscape and the most critical assets listed in your inventory.
4. Put it all together
Once you know what your key information assets are, which of them are most critical, and what threat activity you need to watch out for, you’re ready for an analyst to create a roadmap of the most urgent threats to investigate. They should do this by generating a list of priority intelligence requirements (PIRs) – a set of very specific questions about potential cyberthreats that should guide your threat-hunting program.
Simply put, your list of PIRs should lay out which specific risks you want to investigate and in what order. This step should allow you to synthesize all the information your team has gathered and use it to ensure that your threat-hunting roadmap reflects your cybersecurity priorities.
After you’ve created your roadmap
Once you have gathered the necessary information, asked the right questions, and prioritized them as this post has explained, you will be ready to start planning (and then executing) a specific threat hunt.