Empowering Security Teams with Best Practices for Threat Hunting

Imagine having a team of expert cybersecurity professionals dedicated solely to threat hunting within the enterprise.

For most CISOs and security operations centers (SOCs), this remains a dream rather than a reality. The truth is, cybersecurity doesn’t generate revenue, so CEOs view it as a cost center. Information Security’s role is to prevent loss. As a result, many SOCs must operate with only the bare minimum resources needed to function.

Because most security decision-makers and analysts must incorporate threat hunting into their regular duties, the pressing question is how to do so as efficiently and effectively as possible.

Powerful Threat Hunting Needs to Start With a Powerful SIEM

One of the biggest barriers to successful threat hunting in the SOC is the lack of standardized, codified processes. If a dozen analysts query data in a dozen different ways—or write their own code and build custom tools—they will reach different conclusions, even when investigating the same incident. This lack of consistency and repeatability poses a real danger to a strong threat hunting program.

To address this, investing in a modern, vendor-neutral security information and event management (SIEM) system that can aggregate data from the entire environment is essential. Most sophisticated attacks don’t stem from a single incident. They involve a series of actions over time, and tracking this timeline is critical.

Threat hunting within isolated environments, like an EDR, VPN, or firewall, does not provide the visibility or value that today’s threat hunters need. For complex, interconnected infrastructures, a SIEM capable of ingesting all logs is the keystone that supports effective threat hunting.

Every Gap Discovered is an Opportunity for Greater Security

If visibility and repeatability are essential for a robust threat hunting program, it’s clear why a sophisticated SIEM solution is a must. However, the SOC needs to go further by understanding the typical activities and contexts associated with users and devices, to identify abnormal behavior when it happens.

As the saying goes in cybersecurity, “Not all anomalous activity is malicious, but all malicious activity is anomalous.” User and entity behavior analytics (UEBA) can add a powerful layer on top of the SIEM. By using machine learning, it establishes a baseline of normal activity and flags actions that deviate from it.

These tools give the SOC greater ability to detect threats within the environment. Importantly, when they help analysts pinpoint suspicious activity, they also reveal weaknesses in the current defenses that allowed potential adversaries to slip through the cracks.

One of the most important goals of a threat hunting program is to identify gaps in the security stack. Any positive threat hunt—even if it’s a false positive—highlights an anomaly that wasn’t caught by the SOC’s systems and processes. This allows analysts to implement new tools or processes to close these gaps and strengthen the organization’s security posture. To make meaningful change, though, allies beyond the SOC need to be involved.

Cooperation and Coordination Across the Business Are Crucial

There’s little point in identifying security gaps if teams can’t get the go-ahead to implement the solutions needed to fix them. This is why best-in-class threat hunting programs require support at the executive level. Communicating the impact and imperative of threat hunting to business decision makers is a key task for CISOs.

But executive backing isn’t the only collaboration that needs to take place. The SOC must also work with other teams that can investigate potential threats based on the intelligence analysts gather. For example, HR departments can be valuable partners in an effective threat hunting program.

An advanced threat hunting program has to be holistic and interdisciplinary. Stakeholders outside the security team need to be involved and committed. Additionally, activity and log data must be collected and monitored across the entire environment to detect everything from unusual logins to unauthorized USB insertions. This is why systems like SIEM and UEBA are essential in bringing all this information together.

Above all, threat hunting must be consistent and repeatable, so that CISOs and senior security leaders can adopt innovative solutions that analysts at all levels can use and understand. Security teams must build up not only their processes, but also their people, and best-in-class solutions make that possible.

There are more opportunities and challenges in threat hunting that security teams should consider. For a more in-depth look at this topic, read our white paper, Nowhere to Hide: A Programmatic Approach to Threat Hunting.