Cyber Threat Hunting: Why Businesses Should Take the Time to Get it Right

May 182017
Cyber Threat Hunting: Why Businesses Should Take the Time to Get it Right

By Rick Delgado, Freelance Automation Writer

As threat levels rise within the cybersecurity world, it’s important that businesses invest in integrated security solutions. As businesses incorporate cyber threat hunting, they are able to search through networks and datasets in order to detect threats that may evade existing automated tools. Threat hunting uses both manual and machine-assisted techniques aimed at finding tactics, techniques and procedures of advanced adversaries. Hunting utilizes a hypothesis-driven approach often supported by behavioral analytics.

Threat hunting is becoming more and more popular in the business industry. When it is done correctly, the concepts, processes and strategies are of critical importance to the security of an organization. Like anything, implementing a threat hunting system takes time to get it right. Establishing and properly running a threat hunt team requires patience and a carefully calculated plan. One such process is to consider is the Threat Hunting Maturity Model that was developed and released by SQRRL.

The maturity level of a threat can be determined by the quantity and quality of the data that the organization regularly collects. The higher the volume and the greater the variety of data provided to an analyst, the more results they will find and the more effective they will be as a hunter. The Threat Hunting Maturity Model (HMM) mentioned above consist of five levels; zero to four.

 

Level Zero

Level zero is known as the Initial Level or HM0. At this level, an organization relies on automated alerting tools to detect malicious activity across the enterprise. In this stage, feeds of signature updates or threat intelligence indicators are often incorporated. Organizations can even create their own signatures or indicators, but these are fed directly into the monitoring systems. Generally at this level, human effort and involvement is directed toward alert resolution.

 

Level One

The next level, HM1, is known as the Minimal Level. This is where an organization relies generally on automated alerting to drive their incident response process. They often base their detection decisions largely upon their available threat intelligence. Organizations at this level tend to track the latest threat reports from a combination of open and closed sources.

 

Level Two

HM2, or level two, is also referred to as the Procedural Level. Organizations at this level have the ability to learn and apply different procedures developed by others on a regular basis, and can make minor changes. At this level, though, they are not yet capable of creating new procedures for themselves. Organizations at HM2 collect large amounts of data from across their enterprise. This level is the most common level of capability among organizations with active hunting programs.

 

Level Three

Level three, HM3, is also known as the Innovate Level. Organizations at this level have at least a few hunters with the knowledge of a variety of different types of data analysis techniques and are able to apply them in order to identify malicious activity. At this level, organizations are creating and publishing their own  procedures instead of using those developed by others.

 

Level Four

The final level, HM4, is referred to as the Leading Level. HM4 is similar to HM3 but with one big difference: automation. At this level, any hunting process that proves to be successful will be operationalized and turned into automated detection. This frees analysts from the burden of running the same process over and over, and allows them to instead concentrate on improving existing processes or creating new ones.

 

Go Right or Go Home

Business have been trying for years to find the best, most efficient way, to detect threats and shut them down before they happen. If one was to use cyber threat hunting, it needs to be conducted systematically and programmatically. Of course, none of this matters if a business or individual does it incorrectly. Incorrect information within threat hunting can’t help a business succeed and is more likely to do the opposite. Threat hunting is all about piecing together different sources of data to build a picture of the future attack.

The maturity model can be used as a resource to help businesses take time to fully understand threat hunting. In order to help reduce the pains commonly associated with developing a hunt program, making HMM a foundation in a business’s hunt capabilities can allow businesses to work their way through the levels it takes to grow their hunt capability organically.

About the Author

Rick Delgado is a freelance technology writer and commentator. Connect with him on Twitter @ricknotdelgaldo.

MORE ARTICLES

VIEW ALL

RELATED