Threat Hunting & Threat Content Creation
Threat hunting, as a practice, will often identify new or previously undetected threats hidden within an environment. With the right tools, data, and time, skilled threat hunters are able to “find the bad” that traditional security controls have missed. This practice provides exceptional depth to organizations’ security programs, however it is also one of the most expensive and slow-to-develop functions for a security team to build.
In order to realize the return on investment (ROI) for that effort, security leaders should keep in mind that, when done well, a threat hunting program isn’t just there to serve as a backstop against so-called advanced persistent threats (APT) for organizations. The best security programs integrate hunt teams into the overall security operations cycle. With that tight integration, security operations teams can leverage the outputs of successful hunts as inputs for other teams, ultimately driving better detection, increased efficiency, and improved risk reduction for the organization.
One of the most obvious symbiotic relationships that threat hunting will have is with traditional defenders in a blue team. Ideally, the findings from successful hunts can serve as a critical input for threat detection content creation, which will make it possible to more quickly detect a broader range of actors, toolsets, and malware in an environment.
Breaking Down the Process
Upon the completion of a successful hunt, it is likely that hunt teams will have discovered previously unknown threats within an environment. As a matter of course, these hunters will be digging further into adversary activity and identifying the attacker’s tools and techniques employed. In that process they’re likely to find various characteristics of the attack, such as indicators of compromise (IOC) including how the threat works, specific artefacts, communications patterns, and so on.
Ideally, hunt teams should not repeat hunts in order to continuously detect the same threats, but rather they should be repeated to detect new threats using the same techniques. In order to avoid reinventing that wheel, threat hunters, incident responders, and—if they’re on the team—reverse engineers, should team up to develop new, or enrich existing, detection content derived directly from the information they have gathered during the hunt. This content can then be pushed into the organization’s traditional security controls and be handled by conventional defenders moving forward.
This type of content development can take a number of formats: specific indicators such as IPs, domains, hashes can be used to sweep an environment for further compromise, while more complicated indicators can be deployed as specific SIEM or big data queries, IDS signatures, or even deployed to endpoint tools using a format like YARA.
Similarly, a successful threat hunting exercise can also provide a wealth of details for updating existing documentation, including analysis techniques, and threat mitigation procedures. Organizations should consider incorporating the findings, details, and techniques used by the hunt teams to create or update playbooks and runbooks to better equip analysts in responding to these new threats and drive more efficient response.
Get the Most Out of Your Threat Hunting Program
When security operations teams build threat detection content development into the overall hunting cycle, they’re ensuring that they’re getting the most from their threat hunting program. Hunt teams serve as a force multiplier for security operations, and the results of successful hunts should also be providing fuel for longer term detection of new and emerging threats.
Building out your threat hunting program and elevating your analysts is always a rigorous process. However, the effort is worth it – especially since there is no replacement for the human element in the SOC. Cyborg Security’s focus is making threat hunting more accessible by delivering tailored hunt and detection packages that enable all analysts to become hunters and evolve traditional security operations. To assist in the process, we consistently create educational materials about threat hunting, including our latest blog, The Evolution of Threat Hunting Content.
About the Author
Josh Campbell (“Soupy”) is a veteran of the Canadian Armed Forces where he was employed as a signals intelligence analyst performing cyber threat intelligence and threat hunting with the Canadian Forces Network Operations Centre (CFNOC). After transitioning to the private sector, he has worked with both managed security service providers (MSSPs), as well as enterprise teams, to design and implement threat intelligence programs as well as training security and intelligence analysts in both North America and Asia. Josh is currently employed as the Cyber Threat and Operations Lead with Cyborg Security.