Here is how you should set up a threat hunting program.
How to Set Up a Threat Hunting Program
1. Develop a threat hunting program.
This may be a new program, or it could be an addition to your existing IR program. The first step is to develop a process and/or program that will allow you to hunt threats.
Next, you need to determine the scope of your program.
- Are you going to focus on specific threats or will you take a more general approach?
- Will the program focus on suspicious user activity or will it focus on specific hosts that may have been compromised?
2. Identify the risks in your environment.
Threat hunting should be an extension of your existing IR process and should be geared towards finding what may have evaded your detection systems.
In other words, you need to identify the threats that have made it past your IDS/IPS, AV, behavioral monitoring, and other detection systems.
- What is the environment that your organization operates in?
- Are there certain areas that are riskier than others?
- Are there certain times of the day when you are more at risk?
It is very important to understand what is unique about your environment and what risks may be present.
3. Define success for threat hunting.
Defining success for threat hunting can sometimes be difficult because it depends on what you are trying to accomplish.
- Are you trying to find a specific threat?
- Are you trying to find signs of a breach?
- What are you looking for?
It is very important to define a specific goal for your threat hunt. Otherwise, it will be very difficult to know if you were successful or not.
4. Create an inventory of suspicious indicators.
After you have identified what threats are in your environment, you need to create an inventory of suspicious indicators related to these threats. This can include things such as malicious tools, techniques, and procedures (TTP).
The idea here is to build a list of things that would indicate a given threat has been active in your environment. This should not be an exhaustive list; rather, it should include those items that are most likely going to be present if that threat has been active in your environment.
5. Identify changing or stationary indicators.
You want indicators that will change if someone has compromised a host or network or if they have installed malicious software on the system.
For example, if an attacker has installed malicious software on a server, then every time he accesses the server he may leave behind some evidence of his activity on the machine; this could include things such as malware binaries, configuration files, and command history files (among others).
6. Identify the data sources for these indicators.
After you have identified the indicators you are looking for, the next step is to find the data sources that can provide you with this information.
- Is the data stored on a host?
- How can you collect it?
- Is it stored in log files?
- Is it stored in network traffic?
- What tools can help you collect this information?
Final Thoughts
In summary, you need to identify indicators that will indicate that a system has been compromised, infected, or used by an attacker. You will also want to identify stationary indicators that may not change but can still be used to identify suspicious activity.