Our first two posts in this series focused on understanding the fundamentals of threat hunting and preparing your threat hunting program. Now let’s talk about some of the tools you’ll need for threat hunting – even if you’re on a tight budget – and the skills your threat hunting team will need for success.
3 Tools Your Organization Needs for Threat Hunting
To ensure you have all of the resources necessary to hunt various types of threats, watch the video clip below that was taken from our webinar, The Real World of Cyber Threat Hunting. Watch the full webinar here.
The following are three must-have tools for any threat hunting program:
- Logs: Threat hunters require data. At a bare minimum, having data logs to sift through is imperative. Key sources of this data include endpoint logs, Windows event logs, antivirus logs, and proxy/firewall logs.
- SIEM: A centralized security information and event management system can correlate all your log data better than humans alone. SIEM logs ease your ability to pivot from individual pieces of information to links and correlations that reveal the true threat.
- Analytics: Machine learning and data analytics are a bonus for organizations that can afford them due to their ability to automate cyber threat detection and identify the proverbial “needle in the haystack.”
For organizations on a budget, there are a multitude of great open source tools available for log capture and analysis, host and memory forensics, malware reverse engineering, and more. For example, a cost effective SIEM alternative is to set up an “ELK” Stack – Elastic Search, Logstash and Kibana – all wrapped into one. Check out my post on threat hunting operations on a budget for more, including configuration guides for Logstash and NXLog.
4 Key Skills for Threat Hunting Analysts
Of course, having the right tools is only half the recipe for threat hunting success. Your analysts need to have a specific skillset to succeed as threat hunters. Here are, in my opinion, the four key skills any threat hunter should possess:
- Enterprise knowledge: contextual knowledge and awareness of your IT environment
- Hypothetical thinking: the ability to hypothesize threat attacks, source vectors, and organizational impact
- Statistics: the ability to interpret significance from statistical data
- Forensics: the ability to investigate the root cause and develop an attack timeline of events through network and endpoint forensics
With the right combination of these tools and skillsets, your team will be poised for productive threat hunting. Stay tuned for my next post in this series covering the five stages of the threat hunting process, and check out our eBook for more threat hunting tips.
