Table of Contents
- Identify A Cyber Threat Hunting Team
- Define a Threat Hunt Timeline based on Your Team’s Bandwidth
- Outline A High-Level Mission
- Make A List Of The Mission’s Goals And Objectives
Do you and your team wish to begin proactively looking for threats in your environment?
If this is the case, proceed to the threat hunting stages below, beginning with researching the danger you want to seek before delving into the data. According to the 2020 Threat Hunting Survey, over half (47%) of respondents use an ad hoc hunting methodology tailored to their specific requirements, which often results in hours, if not days, being spent hunting down loose ends.
We have firsthand knowledge of this! We’ve polished and developed the methodology across repeated cycles of expanding our threat hunting team and skills across various sectors and situations. Now, we’d want to share the lessons we’ve learned and the measures we took to create our danger hunts.
When developing a new threat hunting strategy at Cyberhunter Cyber Security, we follow the following steps:
Identify A Cyber Threat Hunting Team
It is critical to find the appropriate individuals to hunt in your area. You may delegate hunting to new members, but they will need a more defined methodology. We recommend assembling a team with a threat-centric attitude to hunt in the environment. Typically, someone who has been an analyst for 2-3 years will approach threat hunting efficiently.
Define a Threat Hunt Timeline based on Your Team’s Bandwidth
As we’ve seen, most businesses have around five hours to devote to a threat search. However, we spend between ten and thirty hours every search. Due to the time investment, we suggest developing a hunt that can be completed in 10 hours or less – this way, your team member(s) executing threat hunts may achieve more in their already-busy schedule. A successful hunt involves locating one nice takeaway, whether a hygiene fix or a danger.
Outline A High-Level Mission
Before tracking for dangers, it is critical to establish what is usual and any possible hygiene concerns or logging gaps. This documentation should summarize you’re general-purpose and allow you to connect it to different objectives. Generally, we advocate beginning with a baseline hunt and progressing to a threat-based hunt. Once you have a firm baseline, a useful method to plan hunts is to analyze holes in your threat detection content that your threat detection content cannot or will not cover – these gaps may be associated with threat groups that target your business.
Common Pitfall: Teams prefer to go into advanced TTPs (Tactics, Techniques, and Procedures) before grasping the fundamentals. We suggest beginning with a low degree of threat hunting for the most successful threat hunts and gradually increasing to that level.
Make A List Of The Mission’s Goals And Objectives
During your search, you’ll be looking for the goals. These should be in line with your overall objective and contain technical details on how to do it.
To begin, relate the goals to a framework. This mapping method allows you to fill in additional gaps that your alarms or detections are lacking. It also lays the groundwork for a well-organized coverage strategy. Consider the following scenario for danger hunting using DNS queries:
For tracking reasons, indicate if the aim is hygienic or threat-related. This allows you to prioritize your threat hunting objectives and, if necessary, create numerous tiers for each objective. Using the same DNS query as previously shown, this may look like this:
- Hygiene: Determine the most frequently requested domains in the environment.
- Threat: Consider many DNS requests from a single server to several subdomains of a domain.