Today's episode: Threat Hunting
John Stoner: Threat hunting starts with the assumption that an adversary is already within the perimeter of the organization. The concept of a perimeter is a little bit fuzzy these days. But hunts can encompass cloud environments, servers, endpoints, networks, and their applications. It is proactive and can potentially uncover persistent threats that have not been identified with existing alerting tools that an organization has in place. Many publications have noted that adversaries may have a dwell time in excess of 90 days. So threat hunting may help uncover the adversary, shorten that dwell time, and provide greater insight about the adversary and can assist in improving defenses. It is important to note that threat hunting itself is part of the collective defensive efforts an organization can take to identify and mitigate a threat to their environment. If you are standing up a security operations program within your organization, threat hunting is not the first component to enable in this. It is also not effective to have a team of threat hunters but no capacity to track and alert on more commonly seen threats. Ideally, hunting should strive to uncover items that were previously unknown. There may be findings uncovered from a hunt that can be operationalized and the security operations team can incorporate these findings into their monitoring tools and be alerted if they occur in the future. The same hunt should not be conducted over and over again. Unfortunately not all findings from hunts can be operationalized with a high degree of confidence. Consider developing a set of hunting searches or rules that are not triaged like higher-fidelity alerts. Instead use these searches and rules as a foundation to evolve. hypotheses, broaden monitoring, and conduct future hunts as additional data becomes available and events warrant. Threat hunting can also be used to help an organization uncover their own deficiencies when it comes to their organizational visibility. If a threat hunt identifies blind spots within your logging, note these deficiencies and determine what is needed to eliminate these gaps.