Threat hunting is a powerful, proactive threat detection tool for strengthening a company or organization’s cybersecurity. But it is not a simple process, and the most work-intensive part is typically the execution and technique of threat hunting (although the preparation and planning stages are also complex).
Once you’ve finalized your threat hunt plan, how can you make sure to execute it effectively, reliably, and efficiently? And how can you make sure that it yields the answers you need?
There are four steps a cybersecurity analyst must conduct in order to achieve those goals:
1. Collecting data
How you will collect data should already be laid out in your plans, so now it’s just a matter of following through. Data hunting collection is typically the most laborious part of executing a threat hunt, especially if there are hurdles making it difficult to access all of the systems and data that your plan calls for. That can make it especially worthwhile to use automation in this part of the process, which can help you dramatically reduce the amount of work time required.
2. Processing data
The second-most work-intensive part of the cyberthreat hunt (after data collection) is processing the data you’ve collected. This involves compiling the information so that a threat analyst will be able to examine it. Here is another great opportunity to streamline your threat hunts through automation tools – especially with scripting, SOAR solutions, or both. Ultimately, the success of the threat hunt depends on the quality and comprehensiveness of the data gathered and processed. The more data points you have, and the more extensive the background information at your disposal, the higher the quality of your analysis will be.
3. Analyzing data
While much of threat hunting can be fully automated, analyzing that information is still a job for a (human) threat analyst today. Expert AI systems can help with pattern associations, particularly on open-source data. SOAR and SIEM systems can be configured to help detect and block on IOCs, but they require frequent retuning and reconfiguration. A professional’s expertise and capabilities can really make a powerful difference here.
Professional recommendation: You want your experts spending their time on hypotheses and analysis – not maintaining and curating dark-web contacts, not negotiating access to logs and configuration data with sysadmins in your environment, and not collating data. Purchase the dark-web portals and feeds, automate the data collection and collating, and let your analyst analyze. This is how you achieve 20 times greater throughput, maximize your analyst’s productivity, minimize your spend, and make proactive threat hunting commercially viable for your team.
4. Drafting a conclusion
The last part of conducting a threat hunt is answering the questions at the heart of the threat hunt and writing a report explaining your findings. There are three basic questions your report should address:
What is the answer to the question defined in your PIRs? (Keep in mind: Although it’s a good idea to provide some explanation in the report, it’s important to provide a clear “yes” or “no” to the basic question from your PIR.)
Even if you found no evidence of a cyberattack, did you find that your organization has any vulnerabilities to cyberthreats? (If so, recommend the priority for remediation, and which stakeholders should be engaged for further discussion.)
Did you run across any other findings of note?
Once you’ve finished executing your threat hunt, you should have answers to the main questions you aimed to answer. But your work isn’t done yet.
The follow-up after a threat hunt should not only ensure that your colleagues get the cyberthreat information they need to mitigate any risks you discovered, but also help your team keep refining its threat-hunting skills. This way, you can continue to improve the process over time.