How to Build a Threat Hunting Team to Bolster Cyber-Security Operations

How to Build a Threat Hunting Team to Bolster Cyber-Security Operations

Building an enterprise cyber-security team that is effective in threat-hunting can help to improve a network’s defense and free up other security operators.

Building: It Starts with IT Operations Personnel

The operations and/or SOC personnel ensure that the IT assets are well-secured under both typical and emergency conditions. They may be called upon also to help restore normal operations after an asset compromise.

Building: You Need a First Line of Defenders

Incident response personnel can be divided into two groups. The first includes junior incident responders who handle issues caused by basic malware and less-advanced threats. When hunters find these threats, often they hand off response duties to this first group of incident response personnel. Traditionally, incident response teams are called in after a breach occurs, but effective hunting shifts the incident response closer to the beginning of the kill chain.

Building: Senior Specialists Dig Into Attacks to Determine What Happened

The second group encompasses the most senior incident responders and a variety of specialists. These include malware analysts, who use reverse engineering to learn the purpose of each attack, and forensic analysts, who collect and preserve evidence from assets and networks on behalf of hunters.

Building: Hunters Bring It All Together

The individuals who manage the security team usually have the ultimate responsibility for hunting. Duties include everything from reviewing and approving hunting plans, policies and budgets to ensuring the hunters are well-trained and their priorities and goals are clearly defined.

Maintaining: Every Member of the Team Needs Security Knowledge

Hunters must have the ability to use hunt techniques and tools, including those typically used for red-teaming and penetration testing. Hunters who understand how all the different areas of security interact and fit together will be more capable of finding adversaries and understanding what they’re trying to do.

Maintaining: Every Member of the Team Also Needs IT Knowledge

Hunters should have a solid understanding of the organization’s IT critical assets and networks that they need to protect. For example, a hunter should be familiar with the organization’s enterprise architectures, especially applications, to understand how parts of an application (user interface, middleware, database server, etc.) are divided among assets and interact with each other.

Maintaining: Think Like the Attacker: Adopt the Hunting Mindset

What distinguishes hunting from so many other aspects of defense is the requirement to think like an adversary. At a high level, this means the hunter approaches the asset as an adversary would, focusing the hunt on the aspects of the asset that adversaries would focus on as well.

Maintaining: Speedy Critical Thinking is Paramount

Decision-making is a vital skill for hunters. At key points in the hunt, hunters must assess the current state of security. Relying on their strong critical thinking skills, they must consider many factors before deciding what to do next and when to do it.

Summary: Own the Hunt

Embracing the hunt can significantly improve your security stack and help your organization defend itself against the advanced attackers and signatureless exploits common today. To build your hunt team, remember to bring together diverse talents and expertise and to maintain the team with the right knowledge and hunting mindset so as to dramatically transform your security stack.