Threat hunting is a complex process used to address potentially serious and costly cyberthreats that companies and organizations may face. In a recent blog post, we provided an overview of the four threat hunting steps involved in executing a threat hunt.
But finishing a threat hunt doesn’t mean your work is done. The follow-up process involves analyzing both your results and your process, as well as ensuring that your colleagues get the information they need.
Your first step after threat hunting is to evaluate your team’s performance and learn actionable lessons. This is the key to continually improving your threat-hunting project team, and it’s important to consider these questions:
Was the chosen hypothesis appropriate and sufficiently specific for the cyberthreat hunt? (And if not, was the hypothesis too specific or too general, and what made it a poor match for this threat hunt?)
Was the scope of the threat hunt ideal? (And if not, was the scope too wide or too narrow, and why?)
Was the threat intelligence you received helpful, and what would have made it even better?
If you used a threat intelligence provider’s portal, was the portal sufficient? What would have made it more helpful?
What other tools did you use? Were they sufficient? What would have made them more helpful?
Did everyone follow your threat hunting and associated change/notice processes? Were there any areas not addressed in your process that you had to work around? Are there any process improvements you can make for better detail, speed, accuracy, or coordination?
Did staff perform as expected? Were there any issues with following processes? Any missing training? And is there any training to learn threat hunting that would enhance future performance?
Did leadership have sufficient information to address leadership questions and report status throughout the effort? Did leadership communications in any way inhibit the hunt?
Finally, for each of the above, what went WELL? What did you do right? Be sure to recognize those responsible for the good things.
After receiving any necessary approvals on your conclusions, it is important to share this information within your company, so that improvements can be made for future threat hunting techniques. It is also a good idea to share relevant findings (when possible, and only with the necessary approvals) with the third-party vendors you worked with on this threat hunt, such as threat intelligence vendors, so that they can better help you with future threat hunts.
Next, you should act on the conclusion of your threat hunting report. If you found evidence to support your hypothesis, then it is important to quickly hand your report over to your incident response team and initiate your incident response process.
If you did not find evidence to support your hypothesis, then it’s worth remembering that this does not necessarily prove that your hypothesis is false – it simply shows that, based on the data you gathered, you could not confidently confirm that hypothesis. If this is the case, you should report your findings internally and then move on to your next threat hunt.
For tools and more useful insights and guidance on threat hunting, check out our latest guide,Threat Hunting for Effective Cybersecurity: How to Protect Critical Assets Through Systematic, Proactive Threat Intelligence.
This is the fifth in a series of posts covering the basics of threat hunting for today’s companies and organizations.