The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

The Top Tools and Skills for Threat Hunting Success



Make sure you have the right tools and skills for a successful threat hunting program in Part 3 of our Guide to Threat Hunting series.

Our first two posts in this series focused on understanding the fundamentals of threat hunting and preparing your threat hunting program. Now let’s talk about some of the tools you’ll need for threat hunting – even if you’re on a tight budget – and the skills your threat hunting team will need for success.

3 Tools Your Organization Needs for Threat Hunting

To ensure you have all of the resources necessary to hunt various types of threats, watch the video clip below that was taken from our webinar, The Real World of Cyber Threat Hunting. Watch the full webinar here.

 

The following are three must-have tools for any threat hunting program:

  1. Logs: Threat hunters require data. At a bare minimum, having data logs to sift through is imperative. Key sources of this data include endpoint logs, Windows event logs, antivirus logs, and proxy/firewall logs.
  2. SIEM: A centralized security information and event management system can correlate all your log data better than humans alone. SIEM logs ease your ability to pivot from individual pieces of information to links and correlations that reveal the true threat.
  3. Analytics: Machine learning and data analytics are a bonus for organizations that can afford them due to their ability to automate cyber threat detection and identify the proverbial “needle in the haystack.”

For organizations on a budget, there are a multitude of great open source tools available for log capture and analysis, host and memory forensics, malware reverse engineering, and more. For example, a cost effective SIEM alternative is to set up an “ELK” Stack – Elastic Search, Logstash and Kibana – all wrapped into one. Check out my post on threat hunting operations on a budget for more, including configuration guides for Logstash and NXLog.

4 Key Skills for Threat Hunting Analysts

Of course, having the right tools is only half the recipe for threat hunting success. Your analysts need to have a specific skillset to succeed as threat hunters. Here are, in my opinion, the four key skills any threat hunter should possess:

  1. Enterprise knowledge: contextual knowledge and awareness of your IT environment
  2. Hypothetical thinking: the ability to hypothesize threat attacks, source vectors, and organizational impact
  3. Statistics: the ability to interpret significance from statistical data
  4. Forensics: the ability to investigate the root cause and develop an attack timeline of events through network and endpoint forensics

With the right combination of these tools and skillsets, your team will be poised for productive threat hunting. Stay tuned for my next post in this series covering the five stages of the threat hunting process, and check out our eBook for more threat hunting tips.

Read More in our Guide to Threat Hunting Series

  1. The Building Blocks of Threat Hunting: Understanding Cyber Threats and the Threat Lifecycle
  2. Getting Ready to Hunt for Threats
  3. The Top Tools and Skills for Threat Hunting Success
Tim Bandos

WHITEPAPERS

Stopping Cyber Threats: Your Field Guide to Threat Hunting

Tim Bandos

Tim Bandos, CISSP, CISA is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim has a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.