So, You Want to Build a Hunt Team (Part 1) - Set Up and Buy In
With the ever-growing number of risks, vulnerabilities and threats an organization must defend against, simply being reactive to alerts is simply not enough to secure your network. Waiting on an adversarial entity to be detected by conventional security tools will leave you one or two steps behind an attack and in a constant state of containment and remediation. So, how do you become proactive while enhancing your current security posture?
Many organizations have opted to form specialized intelligence, fusion, and most notably hunt teams, because what's sexier than boasting about having your own network ninjas? However, not all dojos are created equally (just ask the Karate Kid) and neither are hunt teams.
What is the overall mission of a hunt team? Who are the consumers of their outputs and how do you ingest threat information back into your organization to provide a proactive approach to security? Most importantly, where do you begin? These are some of the questions we will walk you through to help build an effective hunt team within your organization. But let's first start with the basics.
The Hunt Team Mission
Words have meaning and while it is not uncommon to hear the term "threat hunting", this term does not come close to fully defining the role. This is because a security threat can be ANYTHING that exploits a vulnerability within a network environment. While identifying threats is a necessary process, it is only a secondary "related" activity and is not the primary purpose of a hunt team.
Threats that have evaded traditional methods of detection are no longer threats; they are compromises. Hunt team actions are well orchestrated, targeted and are based on known threats. The purpose of a hunt team is to search for compromises and their indicators, based on known TTPs (tactics, technique, procedures) of threat actors.
1. Mature Operations
Key to the success of your hunt team is the ability of your organization to support the functions of a hunt team. Sounds obvious in theory but may not always be in practice. This requires your organization to provide resources to the team (both technical and non technical) and empower them with the authority to perform their work.
Forming a hunt team is not for everyone as it requires mature security operations along with a SOC to support their efforts. This team will rely heavily on your current SOC's capabilities and will utilize the same tools as your analyst. In addition to using SOC tools, a successful team will require some specialized tools (discussed in part 2) and will incur some additional costs in your operating budget.
If you do not have mature operations and sound processes in place, you should not be looking to build a hunt team and, instead, focus on developing a proper incident response practice, instituting strong analyst training, along with employing solid detection and alerting processes (i.e. SIEM event filtering, use case development). The hunt team will only be as effective as the tools and processes you have currently established.
2. Tools and Resources
As mentioned above, SOC tools and capabilities are heavily utilized by a hunt team. This includes having access to a well-managed SIEM, logs such as endpoint, firewalls, proxy, and IPS/IDS at minimum (there are more) and threat intel feeds. The team will also require specialized tools (discussed in part 2) that will need to be accounted for in your budget.
Non-technical resources are often overlooked and are essential to an effective hunt operation. Access to intelligence reporting and industry articles are needed to stay current with APT activity. This information assists with building an internal threat knowledge management repository, which in turn helps develop hunts and perform analysis. This repository should consist of internal intelligence identified during hunts along with external data from various reporting agencies.
3. Experienced Analyst
Hunt team operations are a senior-level function and require experienced staffing. Experience is key and we strongly suggest that the analysts who fill this role have at least 8 years of analyst experience MINIMUM. The ideal candidate should have a background working in various network environments, command line experience in both Windows and Linux environments, familiarity with at least one scripting language… etc. Without writing a complete job description to get my point across, you need experience! Much like Farmers Insurance, you need someone "who's seen a thing or two" and truly understands the life cycle of various attacks.
Threat hunting is not a role you can train a junior analyst to fill; no matter how sharp they are. The right person for the job will greatly impact the success of the team.
4. Organization and Department Buy-In
Many organizations attempt to stand up hunt teams only to find that the team has failed to meet expectations. This is typically not based on team performance but rather on a lack of successful integration into the organization’s operations.
Building a security strategy that ensures the hunt team is embedded in your processes is key to success. This may include educating ops teams and departments of their scope and providing them the authority to perform tasks. Additionally, setting clear expectations of team outputs/deliverables and how they will collaborate with SOC operations will ensure buy-in.
Many deliverables outside of hunt activity can be tipper reports to the analyst team, a weekly briefing on current APT campaigns, and more. A hunt team can bring business-impacting value to an organization. However, if the rest of the team is unaware of their role and outputs, their value will go unseen.
As you can see, there are many aspects to consider before establishing a hunt team. Those outlined above are just a few high-level considerations with SOC maturity being key.
Next time we will discuss preparing to hunt, along with identifying risk and threats to build hunts, specific inputs and outputs of a hunt team, specialized tools, logs, building and automating hunts, reporting, data visualizations along with team deliverables, and their use (Whew!).