In Part 1 of this series, I shared the state of threat hunting as measured by SANS in their 2019 survey of threat hunters and security managers from various organizations around the globe. Now it’s time to drill down into threat hunting methodologies, tips to improve efficiency and effectiveness, and how to measure threat hunting success.

Threat hunting is a complex task and presents many challenges. If organizations aren’t careful, they can end up with a few high-value resources spending inordinate amounts of time potentially chasing ghosts. Not all methodologies are equally efficient, but the following two methods are serving organizations well.

Two approaches to threat hunting
Most threat hunting teams report that they incorporate one or both of these approaches: 1) An outside-in approach, where you learn of a threat from an external report and hunt for associated indicators within your environment, and 2) An inside-out approach, where you observe suspicious behavior in your environment, pivot to the adversary and external sources to learn more about associated indicators, and then hunt for and find additional indicators in your environment. 

However, as the SANS report points out, “IOCs have different levels of quality and life spans. Your detection ability does not increase just by adding more and more IOCs. Instead you should review and quality-check every incoming new IOC carefully and test it against your environment.” Whichever threat hunting approach you’re using, you need a way to ensure your hunting efforts are focused on high-risk threats and that the team is operating efficiently since time is the enemy. In working with clients, we’ve found that these three tips can help:

1. Use context to prioritize. Effective prioritization requires context to understand what is relevant and high-priority to your organization. To help with prioritization lots of threat intelligence providers publish “global” risk scores based on their own research, visibility and proprietary methods. But what is relevant to one company may not be relevant to another. You need to be able to prioritize based on parameters you set. Because you have multiple sources of context (external threat intelligence, internal data and intelligence, etc.), our ThreatQ platform provides a central repository to aggregate data and events and manage and automate the prioritization process. With an approach to threat hunting that includes aggregating, scoring and prioritizing within the context of your environment, your high-value resources don’t waste time chasing ghosts.

2. Don’t go it alone – collaborate. Threat hunters must be able to conduct investigations collaboratively with other teams, and search for and compare indicators across your infrastructure to find matches between high-risk indicators and internal log data that suggest possible connections. Traditionally, this has been difficult and time consuming to do because teams and tools are often siloed. ThreatQ Investigations provides a single shared environment so that collaboration is embedded into all processes, including threat hunting. Teams can work together to explore every corner of the organization to pinpoint adversary tactics, techniques and procedures (TTPs) and find the malicious activity for total remediation.

3. Never stop learning. Threat hunting must be a continuous process. As new data and learnings are added to the ThreatQ Threat Library, intelligence is automatically reprioritized to support ongoing hunts. Teams and tools improve over time, facilitating future investigations, automatically strengthening defenses and adjusting policies to improve detection and prevention.  

How do you know if you’re getting a return on your threat hunting investments?
Just as threat hunting is relatively new, the ability to measure the effectiveness of threat hunting is still in its infancy. Measuring and demonstrating the performance of the threat hunting team is critical to its funding and support throughout the organization. Yet, survey respondents tell SANS that measuring performance is difficult.

One key to overcoming the measurement challenge is to start by defining expectations. Measuring the time to hunt and “find evil” is all well and good. However, if threat hunters have to spend a fair amount of time integrating and normalizing the multiple data sources they need to perform threat hunting effectively, that naturally slows down the hunting process. You’re also slowed down if you don’t have solutions that automate time-consuming tasks like sifting through logs manually to determine which are relevant and correlating logs with massive volumes of external threat intelligence and other internal data to identify malicious activity. 

A better way to show the benefits of threat hunting is with a “hunt once, detect forever” benchmark. This concept ensures the work is effective and teams aren’t continually hunting for the same technique from an adversary. Taking this approach, 93% report seeing improvements in attack surface exposure/hardened networks and endpoints. And 89% of respondents report seeing improvement in detection and better coverage across their environment.

The good news is that even though 24% of organizations are unsure if they have seen any improvement in the overall security of their organization, the 61% that have found a way to measure its impact report at least an 11% measurable improvement in their security posture. Download your free copy of the SANS 2019 Threat Hunting Survey for more details. In the third and final part of this series we’ll look at how organizations are investing to improve their threat hunting capabilities and provide some recommendations to consider for the future.