Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a Successful Threat Hunting Program


Published on

Understanding the key components necessary to build a successful threat hunting program starts with visibility, the appropriate tools and automation. Skilled, experienced analysts, engineers and incident responders with analytical minds who can apply concepts and approaches to a variety of different toolsets are also instrumental to the process. In this presentation, We'll describe and discuss some of the most common challenges, recommended best practices, and focus areas for achieving an effective threat hunting capability based on lessons learned over the past 15 years.

Published in: Technology
  • Be the first to comment

Building a Successful Threat Hunting Program

  1. 1. E16-SPGC. This document does not contain technology or Technical Data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. Copyright. Unpublished Work. Raytheon Company. Customer Success Is Our Mission is a registered trademark of Raytheon Company [Proactive Security] Building a Threat Hunting Program Presented by: Carl Manion Managing Principal
  2. 2. Proactive Threat Hunting • Proactive Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. • Threat hunting combines the use of threat intelligence, analytics, and automated security tools with human smarts. • Rather than waiting for the inevitable data breach to happen, proactively scout around for and hunt down bad actors and malicious activity on your networks. 2
  3. 3. THREAT HUNTING PROGRAM | Key Components 3 1) Starts with Visibility. 2) Tools and Automation are important. 3) Training is critically important. 4) Requires skilled, experienced analysts, engineers, and incident responders. 5) Metrics are important. 6) Intelligence is more than a buzzword. VISIBILITY TOOLSMETRICS TALENT TRAINING INTELLIGENCE 1 2 34 5 6
  4. 4. THREAT HUNTING PROGRAM | Visibility • Network traffic, hosts, end-points, logs, threats • Must be able to easily pivot and build timelines • Hunting can be time consuming, so access and performance must be part of your key considerations • Investigation directly supports detection and response 4 1
  5. 5. THREAT HUNTING PROGRAM | Tools & Automation • SIEM • NMS / IDS / IPS • EDR • Threat “Intelligence” Feeds/Platform/Services • SOC Orchestration / Workflow Automation • Overall, requires platforms more than tools; let the smart humans define what they need to see 5 2
  6. 6. THREAT HUNTING PROGRAM | Training • Define the results for the skills or capabilities you hope to attain • Outline training plans / topics / objectives; align with threat hunting strategy and plans • Mentoring / Teaming / On-the-job training (OJT) • Informal training counts too! • List job/role related training expectations of staff • Remember to account for training costs; timeframes; schedules 6 3
  7. 7. • Well rounded individuals • Driven / Motivated to learn • Analytical mind, able to apply concepts and approaches to variety of different toolsets • Able to think like adversary; can transition between defensive/offensive mindset • Train, train, train! 7 THREAT HUNTING PROGRAM | Skills (Talent) Responds to Alarms. Searches for Clues. 4
  8. 8. THREAT HUNTING PROGRAM | Metrics • Attack “Dwell Time” – What is it? Lifespan of an Attack; How long the attacker was in your environment. – Why it matters: The longer the attacker has to operate in your environment, the more damage they can do. – The goal is to reduce dwell time as much as possible, so attackers do not have time to achieve lateral movement and remove critical data. • Mean Time to Detection – What is it? The mean (average) time it takes to detect malicious or anomalous activity within an environment. – Why it matters: Identifying and containing an attacker, as quickly as possible, is of paramount importance to minimize damage. 8 Focus Areas To Reduce Dwell Time: 1. Fundamental security controls 2. Granular visibility and correlated intelligence 3. Continuous endpoint monitoring 4. Actionable prediction of human behavior 5. User awareness (user behavior analysis) 5 Examples:
  9. 9. 9 THREAT HUNTING PROGRAM | Intelligence 6 • Buzzword within the industry; includes wide range (from malware analysis to traffic monitoring, to open source, or specific info from solution vendors, etc.) • The more granular, the better (need IPs, protocols, port numbers, domain names URLs, etc.) • Must be updated regularly (must be valid, relevant and timely) • Must have context to be actionable and to provide value to your threat hunting • Helps maximize the effectiveness of your security resources by allowing them to focus their time on the highest risk areas and high priority events • Focus more on TTPs and trends, rather than specific IoCs; think about how it may relate to known/on-going attack campaigns The use of information collection and analysis to provide guidance and direction to threat hunters in support of their theories and decisions.
  10. 10. 1) Too much reliance on “hunting tools” or any singular data type: Logs lie Endpoint security tools miss things Vendors can’t fully automate hunting 2) Alert-centric workflows 3) Open loop processes 4) Bias and fatigue (mix it up to keep the work interesting) 5) Failure to keep up with latest news / intelligence 10 THREAT HUNTING PROGRAM | Risks
  11. 11. COMPREHENSIVE APPROACH:  Network, host, and log data  Cyclical / Closed Loop Approach  Begin with a question, theory, or metric and work toward answering that question through research and proactive hunting.  Build repeatable process workflows and queries back into your tools, through custom content, as you learn.  Seek to reduce mean-time-to-detection and response; find intrusions and compromises more quickly, and earlier in the cyber attack chain  Train. Change it up. Train some more. Repeat.  Continuous learning; Revisit investigations and hunting techniques! 11 THREAT HUNTING PROGRAM | Summary
  12. 12. 2/10/2017 12