FEATURE
The end goal of any
hunting team should
be to automate and
enhance current
procedures.
and every time, but you can begin
measuring the success and quality of
the data sets to determine what is and
what isn’t leading to improvements.
3. Advocate for getting new data
embedded into the process. As the
organisational threat model changes,
gaps in coverage can quickly be
identified. This will allow for a case
to be made to collect and leverage
new data sources to accomplish the
hunting goals.
Organisations new to threat hunting
often overextend the area of data source
identification. This is especially the case
for those that take the SIEM approach
to data collection and aggregation. It is
not the volume of data that matters, but
one’s ability to identify threats within that
Greg Iddon, Senior Product Marketing
Manager, Managed Threat Response, Sophos
data. It is far better to take a threat-centric
approach to data collection, whereby
a type of threat or vector is considered
and then data that aids the detection
of that threat is identified for collection.
Frameworks like MITRE’s ATT&CK are
invaluable tools to help map threat hunting
capabilities and to reveal blind spots.
Another common failure made during
data collection is to not make full use
of the potential of a data source. To
give an example, Microsoft Windows
event logs are an incredibly powerful
source of data for threat hunters, but
the default security audit policy leaves
many events not logging with enough
detail to aid hunters and requires manual
reconfiguration to tune up event details.
Care and consideration must be given
to each data source to avoid simple but
common pitfalls such as this.
Use of hunting data
Hunting by design is there to identify
potential threats that circumvent
conventional monitoring controls. This
requires formalised procedures and
workflow to ensure that as new hunting
hypotheses are generated, they can
easily flow through the ‘system’ and go
through the necessary testing, analysis
and refinement.
The end goal of any hunting team should
be to automate and enhance current
procedures. To be more specific, as
the hunting team completes hunts and
those hunts are turning up malicious
or anomalous activity that is worthy of
investigation, those methods should
be taken and turned into automated
searches or queries that can be run by
the monitoring team. This threshold of
promotion will vary between organisations
and teams but is an important step to
keep the hunt team looking forward at
new possible threats. u
50 Issue 27 | www.intelligentciso.com