The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Getting Ready to Hunt for Threats



Learn how to prepare to hunt for threats in Part 2 of our Guide to Threat Hunting series.

Our first post in the series covered some of the fundamental concepts of threat hunting. Once you understand cyber threats and have established reliable (internal and external) sources of threat intelligence, it’s time to start preparing to hunt for threats. Here’s how.

Build an Incident Response Plan

Having a threat hunting program means that you’re inevitably going to find some threats and probably some full-fledged security incidents as well. As a result, it’s critical that you have an incident response plan in place before you start threat hunting. Whether your organization has a formal IR program or simply IR procedures, it is imperative to have a prescriptive method of responding to events and alerts in a controlled manner. Develop an incident response plan that outlines preparation, detection and reporting, triage and analysis, containment and neutralization, and post-incident activities. This will help everyone avoid panic mode when your threat hunting team is successful!

Take a Flexible Approach to Threat Hunting

While incident response is best pursued as a well-accepted, business-wide initiative, your approach to threat hunting should be an effort centralized to your information security team. Threat hunting is less formal and more mission-oriented. It is a commitment to take a more proactive approach to identifying cyber threats to the organization, and to actually act on those threats sooner rather than simply waiting for an alert to go off.

While cyber threat hunting isn’t exactly looking for a needle in a haystack, your efforts need to remain a bit more flexible and a little less formalized than incident response. There will be fewer boundaries when following where the hunt leads you.

To Know Your Adversary, First Know Yourself

At my last job, we outsourced our IT administration to a third party vendor. Basically, they would authenticate each day to our network to conduct day-to-day maintenance activities on each of our servers. One day I was hunting through logs and noticed something strange. The third party vendor was accessing a subnet that they weren’t responsible for. Upon further investigation I had discovered that the vendor had been compromised and an adversary was leveraging the trusted connection between our network and theirs to move laterally into our environment. The advice here is to never underestimate the importance of contextual knowledge and awareness of your own environment to recognize threats as they occur.

4 Steps to Get Ready

To ensure you are ready to hunt various types of threats, watch this clip below that was taken from our webinar, The Real World of Cyber Threat Hunting. Watch the full webinar here.


 

Before pursuing an active cyber threat hunting initiative, complete these four necessary actions:

  1. Build an architecture: Your organization must be capable of planning, establishing and maintaining its systems with cybersecurity in mind.
  2. Implement passive defense: Systems such as intrusion prevention should be added to your base architecture to provide a reliable defense against threats (once configured) without needing consistent human interaction or intervention.
  3. Develop active defense: Define processes for human analysts to monitor data internal to the network, triage any advisories, and respond actively to any incidents to contain and neutralize threats.
  4. Drive intelligence: Finally, data collection should be used to learn how the organization can better exploit information for insight and internal intelligence.

Keep Your Eye on the Prize

Successful cyber threat hunters should know the value and the limitations of threat intelligence. Every organization may have its own misconceptions or internal biases. Understanding these up front will help your security team avoid the pitfalls of wasted time and resources spent chasing down alerts or false positives that really don’t matter to your business.

Once you’ve completed these steps, you’ll be ready to operationalize your threat hunting efforts. Keep an eye out for Part 3 of this series and in the meanwhile check out our eBook on threat hunting for more tips.

Read More in our Guide to Threat Hunting Series

  1. The Building Blocks of Threat Hunting: Understanding Cyber Threats and the Threat Lifecycle
  2. Getting Ready to Hunt for Threats
Tim Bandos

WHITEPAPERS

Stopping Cyber Threats: Your Field Guide to Threat Hunting

Tim Bandos

Tim Bandos, CISSP, CISA is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim has a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.