Happy Threat Hunting

After talking about scaling a hunt team with the concept of " Pack Hunting " in my last post, now I want to approach a topic that has been weighing on my mind as the year comes to a close. How do I build a kickass hunt program? And how would I know if I did? Admittedly, this is on my mind because next year my program will have been around long enough to be audited, which means I need to be able to measure my program in an audit-able way. I am not talking about the outcome of the program here, the hunting itself, but rather the processes and procedures that lead to the outcomes. The outcomes are currently measured using KPIs, but I haven't stress tested those enough to share yet. Developing a Threat Hunting & Research  Team Maturity Model Why a maturity model? As I looked into how to approach this question I came across the idea of using a maturity model. According to the Institute of Internal Auditors ( IIA ), a maturity model describes process components th...

I have been busy celebrating weddings with families and friends for a few weekends, but I am back with the latest hurdle in program building - scalability. I haven't stopped working on the hunt analytic repo, but I have switched to playing in AWS DynamoDB . Traditionally hunting has been one hunter creating a hypothesis and then hunting on that hypothesis to find attacker activity. Current resources even take this a little further and have the disruption and eradication of the attacker activity also done by hunters.  This approach may work for smaller organizations where one employee wears many hats, but it doesn't scale well and it makes it hard to tell a compelling story. So let's assume you are creating a Hunt Team, one that is only responsible for hunting and not burdened with incident response or remediation.  How do you scale the team to cover as many high value targets as possible and tell a compelling story? Threat Hunting as a Pack Experienced hunters...