Today’s organizations have a lot on their hands when it comes to defending their environments against attack. Cyber risk crosses several dimensions, and most organizations today struggle to be proactive in their incident response efforts.
Enter threat hunting, the ultimate proactive strategy for finding the hidden threats lurking on enterprise systems. Launching a threat hunting program starts with some basic organizational and security
fundamentals, but it ultimately requires a mature security program, which entails the following:
- Security staffers who are curious, intuitive and have a solid understanding of IT security and the threat landscape. Staffers must also have enough time, outside their regular tasks, to devote to threat hunting.
- Tools and technology platforms that enable threat hunting detection, investigations, monitoring and management.
- A clear picture of what “normal” is. This means the program must be able to baseline network traffic and end-user and system behavior, as well as understand expected and authorized events from which to identify issues.
This piece helps you understand where your security program sits on the maturity curve and whether it is at the stage to launch a threat hunting program. It aims to help you gauge your security posture and provide strategic steps to push everything up
a notch and become more proactive in your defense tactics.
Access Security Maturity for Threat Hunting
Most security programs fall into one of four stages, starting with the basics and gradually increasing in security sophistication. Each stage is discussed in more detail below. When organizations are at Stages 1 and 2, they do not yet have the people,
processes and tools required to spin up a threat hunting program. By Stage 3, they have the bare necessities to start planning a threat hunting practice and by Stage 4, the security program is mature enough to support threat hunting in addition to
its other security responsibilities.
Stage 1: Vulnerable
Organizations with security programs at Stage 1 are only equipped with the basic procedures for eliminating threats. For example, Stage 1 organizations have no process to see threats at the endpoint. They use only signature-based tools (like AV and IDS)
to detect and stop known malware, and malware not stopped by the signature-based approach often ends up negatively impacting the performance of the IT infrastructure.
In most cases, the program’s only response to such attacks is to re-image the machine. Root-cause analysis is seldom if ever conducted. At Stage 1, most tools and processes are not integrated. Instead, only siloed solutions are used to handle threats.
READ: Setting Up a Successful Vulnerability Management Program
Stage 2: Reduced Risk
At Stage 2, organizations improve their processes and tooling. For example, they go beyond simple AV and can poll and scan networks and endpoints to see/identify threats. At Stage 3, security programs tend to deploy more preventive measures. For example,
they:
- Remove admin rights for all endpoints and end users, so that only the specific admins/IT personnel who need those rights have them.
- Perform basic allow-listing of applications and services, and use IP reputation databases to block sites known for disseminating malware or running command-and-control channels.
- Limit the sites and applications vendors and contractors can access.
- Deploy more comprehensive tools, such as endpoint detection and response.
At this stage, the program responds to incidents by performing manual root-cause and scope analysis to find out which areas of the IT infrastructure have been affected by an attack. They are able to pinpoint and remove malware, and then conduct post-mortem
forensic operations to ensure they know how to successfully protect the IT system the next time it faces a similar attack.
At this stage, tools and processes are somewhat integrated, with a few rolling up alerts and logs to a centralized SIEM platform.
Stage 3: Strong Posture
At Stage 3, security organizations are able to set up real-time visibility and continuous reporting, usually using simple indicators and single-source threat intelligence.
They tend to segment their environments, using VLANS, or in some cases, host-based firewalls. Automated root-cause and scope analysis are performed in response to the threats, and the data is correlated with the system security. In addition, SIEMs and
other threat-managing software are fully integrated into the IT infrastructure.
The organization has the tools, processes and visibility to begin planning a threat hunting program, at this point, but launching the program should wait until the next stage, when it has the expertise, staffing and resources to fully support it.
Stage 4: Mature – Ready to Threat Hunt
Stage 4 mature security groups have real-time visibility and continuous reporting of endpoint and network security state. Using aggregated, multi-vendor threat intel, Stage 4 organizations have the ability to detect the behaviors and patterns of threats,
and threat intelligence is fully integrated into all available events and incidents.
Within Stage 4, threats are prevented by policy-based default-deny and customizable prevention forms/types. The immediate response to a threat is to disrupt and contain the attack, and then use automated remediation. Some system integrations are customized
via open APIs.
Security Maturity for Threat Hunting
Once your security posture has matured to Stage 4, then a robust threat hunting program can be initiated. To successfully pair the organization’s IT infrastructure with a tailored threat
hunting program your security strategy must:
- Focus on improving risk visibility of your systems and endpoints.
- Adopt better processes for detecting, preventing and responding to risks and cyberattacks.
- Integrate comprehensive threat tools and technology to improve alerts, monitoring, data management and APIs.
- Boost your security team’s skills with constant high-quality cybersecurity training to help staff advance levels of both security and threat hunting knowledge.
- Update and document all required processes for maintaining high system security.
- Adopt the latest, best system security strategies, and routinely update for consistent security improvements.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.