The Evolution of Threat Hunting Content

As organizations strive to mature their threat hunting processes, they’re increasingly finding that solid threat hunting content is at the heart of their efforts.

According to a recent study by SANS Institute, when organizations were asked what needs to improve to mature threat hunting operations, the top two answers were an increase in:

  • Qualified staff to run the hunts (53%)
  • Enhanced contextual awareness from intelligence sources and tools (51%)

Threat hunting content helps squarely address that second point — and it aids in staffing woes as well because it makes existing staff more productive. This kind of content is very different than threat intelligence. Threat hunting content is active — what it does is it operationalizes and contextualizes raw threat intelligence from numerous sources.

New call-to-action

Threat hunting content typically takes the form of searches or queries upon security-related log data, looking for a very specific cross-section of attack traits that are synthesized from a range of different available threat intelligence information.

Mining Big Data Stores

The ideal threat hunting content takes advantage of the security data consolidation that’s been happening over the past five years, where so much of it has been funneled into big data platforms like Splunk, Elasticsearch, ELK Stack, QRadar and so on. Before this consolidation occurred, threat hunters had to do a lot more manual vulnerability scans, packet captures, and old-school sifting through data to proactively find evidence of hidden threats in different systems.

Well-crafted, threat hunting content can find the logical connections existing between threat activity data that’s collected from disparate systems and stored on these big data platforms. We need these queries because even though the data is aggregated, it still must be mined for information relevant for specific hunts and pieced together. The trick is that there’s not a lot of standardization in what the logs look like or what the search syntax within the threat content should look like. On top of that, it takes a great deal of skill and experience to define all the relevant traits the hunter is seeking based on threat intelligence available about any given threat.

Scaling Threat Hunting Content Development

As a result, most threat hunting content requires a great deal of labor to develop and it can be difficult for organizations to scale up their production of this content.

The mission at Cyborg Security is to help organizations jumpstart the threat hunting process by augmenting their practices with ready-made and timely threat hunting content that’s been developed by a team of some of the most experienced threat hunters in the world. This team has been streamlining how they develop their queries or automated hunts so that they can be plugged directly into a variety of different big data platforms, security information and event management (SIEM) products, and other security platforms. This can be a tremendous help in establishing repeatable processes, even in the face of employee turnover. While threat hunting content does not automate the entire hunt proceedings, it does help threat hunting teams start on a level ground.

For more on threat hunting content read our blog, Threat Content, Not Automation, Fuels Effective Threat Hunting.

New call-to-action

Join our newsletter

Discover More!