Understanding the key components necessary to build a successful threat hunting program starts with visibility, the appropriate tools and automation. Skilled, experienced analysts, engineers and incident responders with analytical minds who can apply concepts and approaches to a variety of different toolsets are also instrumental to the process. In this presentation, We'll describe and discuss some of the most common challenges, recommended best practices, and focus areas for achieving an effective threat hunting capability based on lessons learned over the past 15 years.
Automating Google Workspace (GWS) & more with Apps Script
Building a Successful Threat Hunting Program
1. E16-SPGC. This document does not contain technology or Technical Data controlled under either the U.S. International Traffic in Arms
Regulations or the U.S. Export Administration Regulations.
Copyright. Unpublished Work. Raytheon Company.
Customer Success Is Our Mission is a registered trademark of Raytheon Company
[Proactive Security]
Building a Threat
Hunting Program
Presented by:
Carl Manion
Managing Principal
2. Proactive Threat Hunting
• Proactive Threat Hunting refers to proactively and
iteratively searching through networks or datasets to
detect and respond to advanced threats that evade
traditional rule- or signature-based security
solutions.
• Threat hunting combines the use of threat intelligence,
analytics, and automated security tools with human
smarts.
• Rather than waiting for the inevitable data breach to
happen, proactively scout around for and hunt down
bad actors and malicious activity on your networks.
2
3. THREAT HUNTING PROGRAM | Key Components
3
1) Starts with Visibility.
2) Tools and Automation are important.
3) Training is critically important.
4) Requires skilled, experienced
analysts, engineers, and incident
responders.
5) Metrics are important.
6) Intelligence is more than a buzzword.
VISIBILITY
TOOLSMETRICS
TALENT TRAINING
INTELLIGENCE
1
2
34
5
6
4. THREAT HUNTING PROGRAM | Visibility
• Network traffic, hosts, end-points, logs, threats
• Must be able to easily pivot and build timelines
• Hunting can be time consuming, so access and
performance must be part of your key considerations
• Investigation directly supports detection and response
4
1
5. THREAT HUNTING PROGRAM | Tools & Automation
• SIEM
• NMS / IDS / IPS
• EDR
• Threat “Intelligence” Feeds/Platform/Services
• SOC Orchestration / Workflow Automation
• Overall, requires platforms more than tools; let the
smart humans define what they need to see
5
2
6. THREAT HUNTING PROGRAM | Training
• Define the results for the skills or capabilities you hope to
attain
• Outline training plans / topics / objectives; align with threat
hunting strategy and plans
• Mentoring / Teaming / On-the-job training (OJT)
• Informal training counts too!
• List job/role related training expectations of staff
• Remember to account for training costs; timeframes;
schedules
6
3
7. • Well rounded individuals
• Driven / Motivated to learn
• Analytical mind, able to apply
concepts and approaches to
variety of different toolsets
• Able to think like adversary;
can transition between
defensive/offensive mindset
• Train, train, train!
7
THREAT HUNTING PROGRAM | Skills (Talent)
Responds to Alarms. Searches for Clues.
4
8. THREAT HUNTING PROGRAM | Metrics
• Attack “Dwell Time”
– What is it? Lifespan of an Attack; How long the attacker was in your
environment.
– Why it matters: The longer the attacker has to operate in your
environment, the more damage they can do.
– The goal is to reduce dwell time as much as possible, so attackers do
not have time to achieve lateral movement and remove critical data.
• Mean Time to Detection
– What is it? The mean (average) time it takes to detect malicious or
anomalous activity within an environment.
– Why it matters: Identifying and containing an attacker, as quickly as
possible, is of paramount importance to minimize damage.
8
Focus Areas To Reduce Dwell Time:
1. Fundamental security controls
2. Granular visibility and correlated
intelligence
3. Continuous endpoint monitoring
4. Actionable prediction of human behavior
5. User awareness (user behavior analysis)
5
Examples:
9. 9
THREAT HUNTING PROGRAM | Intelligence
6
• Buzzword within the industry; includes wide range (from malware
analysis to traffic monitoring, to open source, or specific info from solution
vendors, etc.)
• The more granular, the better (need IPs, protocols, port numbers, domain
names URLs, etc.)
• Must be updated regularly (must be valid, relevant and timely)
• Must have context to be actionable and to provide value to your threat
hunting
• Helps maximize the effectiveness of your security resources by allowing
them to focus their time on the highest risk areas and high priority events
• Focus more on TTPs and trends, rather than specific IoCs; think about
how it may relate to known/on-going attack campaigns
The use of information
collection and analysis to
provide guidance and direction
to threat hunters in support of
their theories and decisions.
10. 1) Too much reliance on “hunting tools” or any singular
data type:
Logs lie
Endpoint security tools miss things
Vendors can’t fully automate hunting
2) Alert-centric workflows
3) Open loop processes
4) Bias and fatigue (mix it up to keep the work interesting)
5) Failure to keep up with latest news / intelligence
10
THREAT HUNTING PROGRAM | Risks
11. COMPREHENSIVE APPROACH:
Network, host, and log data
Cyclical / Closed Loop Approach
Begin with a question, theory, or metric and work toward answering
that question through research and proactive hunting.
Build repeatable process workflows and queries back into your tools,
through custom content, as you learn.
Seek to reduce mean-time-to-detection and response; find intrusions
and compromises more quickly, and earlier in the cyber attack chain
Train. Change it up. Train some more. Repeat.
Continuous learning; Revisit investigations and hunting techniques!
11
THREAT HUNTING PROGRAM | Summary