Happy Threat Hunting

After talking about scaling a hunt team with the concept of " Pack Hunting " in my last post, now I want to approach a topic that has been weighing on my mind as the year comes to a close. How do I build a kickass hunt program? And how would I know if I did? Admittedly, this is on my mind because next year my program will have been around long enough to be audited, which means I need to be able to measure my program in an audit-able way. I am not talking about the outcome of the program here, the hunting itself, but rather the processes and procedures that lead to the outcomes. The outcomes are currently measured using KPIs, but I haven't stress tested those enough to share yet. Developing a Threat Hunting & Research  Team Maturity Model Why a maturity model? As I looked into how to approach this question I came across the idea of using a maturity model. According to the Institute of Internal Auditors ( IIA ), a maturity model describes process components th

I have been busy celebrating weddings with families and friends for a few weekends, but I am back with the latest hurdle in program building - scalability. I haven't stopped working on the hunt analytic repo, but I have switched to playing in AWS DynamoDB . Traditionally hunting has been one hunter creating a hypothesis and then hunting on that hypothesis to find attacker activity. Current resources even take this a little further and have the disruption and eradication of the attacker activity also done by hunters.  This approach may work for smaller organizations where one employee wears many hats, but it doesn't scale well and it makes it hard to tell a compelling story. So let's assume you are creating a Hunt Team, one that is only responsible for hunting and not burdened with incident response or remediation.  How do you scale the team to cover as many high value targets as possible and tell a compelling story? Threat Hunting as a Pack Experienced hunters

In my first post I went over some threat  hunting models . For the R&D hunts, I mentioned that it would require every hunt to be cataloged. Then I started to try to create the outcome document from an R&D Hunt to share it with everyone and ran into a terminology roadblock of my own making. I couldn't seem to make progress on outlining the expected outcome from R&D Hunts, at least not in a concise way that would be easy for my team and my leadership to comprehend. So, I decided to use writing a post to walk myself through the process and the terminology. Campaigns & Hunts Campaign Description: Two or more hunts with a common objective Outcome: A strategic product consolidating the findings from all hunts Hunt Description:  1 or more hunt techniques with a common objective Outcome:  A report containing actionable findings Hunting Techniques Hunting Technique Description:  A hypothesis applied to a specific domain, for a specific

Thanks everyone for the encouraging comments on my first post and for taking the time to let me know it helped you out!  😁  Now for the next edition. Hunting is a form of detection. It's not monitoring, but it is detection. So let's take a quick look at creating a detection strategy and how it can include your hunt program. Use a Lifecycle for your Story Your detection strategy needs to create a story that your senior leadership can easily understand. The Mandiant Attacker Lifecycle always made more sense to me than the Lockheed Martin Cyber Kill Chain , so I am going to use that as the story for my strategy. Pick whichever lifecycle works for you. There is also the MITRE Attack Lifecycle . Mandiant Attacker Lifecycle For the sake of this post , I am going to say the lifecycle stage, Complete Mission, should be handled by DLP, backups (if mission objective is destructive), and encryption. Alerting You want to alert early in the lifecycle so you catch attackers

A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day. 5 Threat Hunting Models  I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models. ADVERSARY MODEL The Adversary Model is for creating hunts that target a specific adversary, for example APT 28 .  Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, do