Turning Hunts Into Value: The Role Of Threat Hunting In SecOps And Business | With Alexis Wales, Lauren Proehl, And Neil R. Wyler (Grifter)
Manage episode 278496578 series 1535672
Threat hunting has become a hot topic throughout the cybersecurity community and a common activity within many information security programs. What is the goal of a hunt, and what real value does it bring to the business? That's precisely what we get into during today's episode.
The act of threat hunting sounds really cool, and it definitely seems like it would be a lot of fun. With all its allure, it's no wonder many InfoSec professionals want to hunt.
What makes it so appealing? Perhaps—unlike a formal penetration test where there are pre-defined boundaries and rules—a hunt is a bit more like the Wild West where there are no rules, no boundaries, no holds barred. It is a free-for-all with no guidelines to follow. Or is it?
The trigger for this conversation came from a tweet from @tazwake that crossed my feed. It prompted me to consider the role of threat hunting within a security program and how the InfoSec organization, and the business can justify the investment. If it's all loosey-goosey in its definition, action, and results, how can it be successfully measured and quantified?
As we dig into this during the conversation, there are many burning questions that we attempt to address this top-level query:
- How do you scope the hunt; how do you ensure that the scope is relevant?
- How do you capture and document what you find; what do you do with those findings?
- How do you learn from a hunt to make the next ones better? Do you just rerun the same hunt over and over and over?
- Is there even a thing as "a hunt," or is it really an ongoing activity with no start/stop/finish?
The truth is, none of the answers to the above question matter if we can't connect it back to the business. Did the hunt reduce exposure, did it reduce risk, did it help boost the security posture—examples which should link back to the top and bottom lines in the business. This may seem harder than it sounds. It may just be. Let's see what our guests have to say.
"Don't be afraid of threat hunting. It sounds fancy and shiny. But in reality, it is just leveraging a lot of things that we've been doing for a very long time—having expert threat hunters that are knowledgeable across a broad range of security is great, but your entry-level analysts can show value in a threat hunt as well."—Neil R. Wyler
"I've always said that it's not about how many threat hunts that you do, it's the actionable impact that you have from your threat hunts."—Lauren Proehl
"We have a very large organization at DHS, the Cybersecurity Infrastructure Security Agency (CISA) and we've had to describe very technical events and activities in non-technical ways because our communications go vertically, they go horizontally, they go every direction you can imagine."—Alexis Wales
This Episode's Sponsors:
The Twitter post that triggered the inspiration for this episode: https://twitter.com/tazwake/status/1322267503284944897
Related Podcast: Day In The Life Of A Cyber Threat Intelligence Analyst | A Conversation With Remi Cohen, Charity Wright, And Jason Passwaters: https://itsprad.io/the-academy-357
MITRE ATT&CK: https://attack.mitre.org
DFIR and Threat Hunting Blog: https://findingbad.blogspot.com
Threat hunting focused conference: https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
Whitepaper on developing a hypothesis to hunt - Generating Hypotheses for Successful Threat Hunting: https://sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172
Some Twitter accounts to follow:
Nicole Beckwith - https://twitter.com/NicoleBeckwith
David J Bianco - https://twitter.com/DavidJBianco
Jack Crook - https://twitter.com/jackcr
Grifter - https://twitter.com/Grifter801
Yonathan Klijnsma - https://twitter.com/ydklijnsma
Ryan Kovar - https://twitter.com/meansec
Robert M Lee - https://twitter.com/RobertMLee
Rob T Lee - https://twitter.com/robtlee
Katie Nickels - https://twitter.com/likethecoins
Michael Rea - https://twitter.com/ComradeCookie
To see and hear more Redefining Security content on ITSPmagazine, visit:
Are you interested in sponsoring an ITSPmagazine Channel?