1How to Build a Threat Hunting Team to Bolster Cyber-Security Operations
2Building: It Starts with IT Operations Personnel
3Building: You Need a First Line of Defenders
Incident response personnel can be divided into two groups. The first includes junior incident responders who handle issues caused by basic malware and less-advanced threats. When hunters find these threats, often they hand off response duties to this first group of incident response personnel. Traditionally, incident response teams are called in after a breach occurs, but effective hunting shifts the incident response closer to the beginning of the kill chain.
4Building: Senior Specialists Dig Into Attacks to Determine What Happened
5Building: Hunters Bring It All Together
6Maintaining: Every Member of the Team Needs Security Knowledge
Hunters must have the ability to use hunt techniques and tools, including those typically used for red-teaming and penetration testing. Hunters who understand how all the different areas of security interact and fit together will be more capable of finding adversaries and understanding what they’re trying to do.
7Maintaining: Every Member of the Team Also Needs IT Knowledge
Hunters should have a solid understanding of the organization’s IT critical assets and networks that they need to protect. For example, a hunter should be familiar with the organization’s enterprise architectures, especially applications, to understand how parts of an application (user interface, middleware, database server, etc.) are divided among assets and interact with each other.
8Maintaining: Think Like the Attacker: Adopt the Hunting Mindset
9Maintaining: Speedy Critical Thinking is Paramount
10Summary: Own the Hunt
Embracing the hunt can significantly improve your security stack and help your organization defend itself against the advanced attackers and signatureless exploits common today. To build your hunt team, remember to bring together diverse talents and expertise and to maintain the team with the right knowledge and hunting mindset so as to dramatically transform your security stack.