Turning Hunts Into Value: The Role Of Threat Hunting In SecOps And Business | With Alexis Wales, Lauren Proehl, And Neil R. Wyler (Grifter)


Manage episode 278496578 series 1535672
By ITSPmagazine Podcast, Marco Ciappelli, and Sean Martin. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Threat hunting has become a hot topic throughout the cybersecurity community and a common activity within many information security programs. What is the goal of a hunt, and what real value does it bring to the business? That's precisely what we get into during today's episode.

The act of threat hunting sounds really cool, and it definitely seems like it would be a lot of fun. With all its allure, it's no wonder many InfoSec professionals want to hunt.
What makes it so appealing? Perhaps—unlike a formal penetration test where there are pre-defined boundaries and rules—a hunt is a bit more like the Wild West where there are no rules, no boundaries, no holds barred. It is a free-for-all with no guidelines to follow. Or is it?

The trigger for this conversation came from a tweet from @tazwake that crossed my feed. It prompted me to consider the role of threat hunting within a security program and how the InfoSec organization, and the business can justify the investment. If it's all loosey-goosey in its definition, action, and results, how can it be successfully measured and quantified?

As we dig into this during the conversation, there are many burning questions that we attempt to address this top-level query:

  • How do you scope the hunt; how do you ensure that the scope is relevant?
  • How do you capture and document what you find; what do you do with those findings?
  • How do you learn from a hunt to make the next ones better? Do you just rerun the same hunt over and over and over?
  • Is there even a thing as "a hunt," or is it really an ongoing activity with no start/stop/finish?

The truth is, none of the answers to the above question matter if we can't connect it back to the business. Did the hunt reduce exposure, did it reduce risk, did it help boost the security posture—examples which should link back to the top and bottom lines in the business. This may seem harder than it sounds. It may just be. Let's see what our guests have to say.

"Don't be afraid of threat hunting. It sounds fancy and shiny. But in reality, it is just leveraging a lot of things that we've been doing for a very long time—having expert threat hunters that are knowledgeable across a broad range of security is great, but your entry-level analysts can show value in a threat hunt as well."—Neil R. Wyler

"I've always said that it's not about how many threat hunts that you do, it's the actionable impact that you have from your threat hunts."—Lauren Proehl

"We have a very large organization at DHS, the Cybersecurity Infrastructure Security Agency (CISA) and we've had to describe very technical events and activities in non-technical ways because our communications go vertically, they go horizontally, they go every direction you can imagine."—Alexis Wales


Alexis Wales, Deputy Associate Director, Threat Hunting, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security

Lauren Proehl, Manager, Threat Hunting Operations and Research (THOR) for a Fortune 200 (@jotunvillur on Twitter)

Neil R. Wyler (Grifter), Threat Hunting and Incident Response Specialist, RSA Security (@Grifter801 on Twitter)

This Episode's Sponsors:

Nintex: https://itspm.ag/itspntweb

Imperva: https://itspm.ag/imperva277117988


The Twitter post that triggered the inspiration for this episode: https://twitter.com/tazwake/status/1322267503284944897

Related Podcast: Day In The Life Of A Cyber Threat Intelligence Analyst | A Conversation With Remi Cohen, Charity Wright, And Jason Passwaters: https://itsprad.io/the-academy-357

MITRE ATT&CK: https://attack.mitre.org

DFIR and Threat Hunting Blog: https://findingbad.blogspot.com

Threat hunting focused conference: https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020

Whitepaper on developing a hypothesis to hunt - Generating Hypotheses for Successful Threat Hunting: https://sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172

Some Twitter accounts to follow:

Nicole Beckwith - https://twitter.com/NicoleBeckwith

David J Bianco - https://twitter.com/DavidJBianco

Jack Crook - https://twitter.com/jackcr

Grifter - https://twitter.com/Grifter801

Yonathan Klijnsma - https://twitter.com/ydklijnsma

Ryan Kovar - https://twitter.com/meansec

Robert M Lee - https://twitter.com/RobertMLee

Rob T Lee - https://twitter.com/robtlee

Katie Nickels - https://twitter.com/likethecoins

Michael Rea - https://twitter.com/ComradeCookie

To see and hear more Redefining Security content on ITSPmagazine, visit:


Are you interested in sponsoring an ITSPmagazine Channel?


826 episodes