Threat hunting has become a hot topic throughout the cybersecurity community and a common activity within many information security programs. What is the goal of a hunt, and what real value does it bring to the business?
Threat hunting has become a hot topic throughout the cybersecurity community and a common activity within many information security programs. What is the goal of a hunt, and what real value does it bring to the business? That's precisely what we get into during today's episode.
The act of threat hunting sounds really cool, and it definitely seems like it would be a lot of fun. With all its allure, it's no wonder many InfoSec professionals want to hunt.
What makes it so appealing? Perhaps—unlike a formal penetration test where there are pre-defined boundaries and rules—a hunt is a bit more like the Wild West where there are no rules, no boundaries, no holds barred. It is a free-for-all with no guidelines to follow. Or is it?
The trigger for this conversation came from a tweet from @tazwake that crossed my feed. It prompted me to consider the role of threat hunting within a security program and how the InfoSec organization, and the business can justify the investment. If it's all loosey-goosey in its definition, action, and results, how can it be successfully measured and quantified?
As we dig into this during the conversation, there are many burning questions that we attempt to address this top-level query:
The truth is, none of the answers to the above question matter if we can't connect it back to the business. Did the hunt reduce exposure, did it reduce risk, did it help boost the security posture—examples which should link back to the top and bottom lines in the business. This may seem harder than it sounds. It may just be. Let's see what our guests have to say.
"Don't be afraid of threat hunting. It sounds fancy and shiny. But in reality, it is just leveraging a lot of things that we've been doing for a very long time—having expert threat hunters that are knowledgeable across a broad range of security is great, but your entry-level analysts can show value in a threat hunt as well."—Neil R. Wyler
"I've always said that it's not about how many threat hunts that you do, it's the actionable impact that you have from your threat hunts."—Lauren Proehl
"We have a very large organization at DHS, the Cybersecurity Infrastructure Security Agency (CISA) and we've had to describe very technical events and activities in non-technical ways because our communications go vertically, they go horizontally, they go every direction you can imagine."—Alexis Wales
Alexis Wales, Deputy Associate Director, Threat Hunting, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security
Lauren Proehl, Manager, Threat Hunting Operations and Research (THOR) for a Fortune 200 (@jotunvillur on Twitter)
Neil R. Wyler (Grifter), Threat Hunting and Incident Response Specialist, RSA Security (@Grifter801 on Twitter)
This Episode's Sponsors:
The Twitter post that triggered the inspiration for this episode: https://twitter.com/tazwake/status/1322267503284944897
Related Podcast: Day In The Life Of A Cyber Threat Intelligence Analyst | A Conversation With Remi Cohen, Charity Wright, And Jason Passwaters: https://itsprad.io/the-academy-357
MITRE ATT&CK: https://attack.mitre.org
DFIR and Threat Hunting Blog: https://findingbad.blogspot.com
Threat hunting focused conference: https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
Whitepaper on developing a hypothesis to hunt - Generating Hypotheses for Successful Threat Hunting: https://sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172
Some Twitter accounts to follow:
Nicole Beckwith - https://twitter.com/NicoleBeckwith
David J Bianco - https://twitter.com/DavidJBianco
Jack Crook - https://twitter.com/jackcr
Grifter - https://twitter.com/Grifter801
Yonathan Klijnsma - https://twitter.com/ydklijnsma
Ryan Kovar - https://twitter.com/meansec
Robert M Lee - https://twitter.com/RobertMLee
Rob T Lee - https://twitter.com/robtlee
Katie Nickels - https://twitter.com/likethecoins
Michael Rea - https://twitter.com/ComradeCookie
To see and hear more Redefining Security content on ITSPmagazine, visit:
Are you interested in sponsoring an ITSPmagazine Channel?