Threat Hunting Program: 5 Best Practices for Success

There was a pretty significant stat that was recently released in Mandiant’s M-Trends 2022 report. In it, they cite that the average number of days an attacker resides on a system before detection (the “dwell time”) dropped from 24 days in 2020 to 21 days in 2021. On the surface, that statistic may seem encouraging, especially with the ubiquity of tools that aid visibility like EDR, NDR, and XDR. But as he also says that adversaries, led by ransomware actors, are becoming less concerned with stealth and more goal-oriented. It’s also telling that even with these advanced tools in place, adversaries can still evade detection, and security teams are often forced to sift through the wreckage and figure out how bad the damage really was.

This is especially concerning for MSSP and MDR providers, who are often entrusted with monitoring dozens or hundreds of clients. Are you confident your security teams can detect the initial adversary hotspot when 2021 saw a record number of zero-day usage in the wild? Relying on reactive security technologies to alert you to a breach often leaves security teams a day behind and dollars short. This is where a threat hunting program can enable MSSP and MDR providers to more proactively search their customers’ environments to identify threats that have evaded security controls but before they can achieve their nefarious goal.

AppSec/API Security 2022

What is a threat hunting program?

Suffice it to say that threat hunting is a term that gets thrown around a lot in cybersecurity. I like it… much. And you’ll often hear words like “proactive” and “iterative” along with it. Unfortunately, many of these definitions are too light on the actual details.

Threat Hunting is a security methodology that is based on hypotheses or data and seeks unknown threats We’ll get to what this means in a second, but what’s important is what threat hunting means. It is not – and that is based on IOC. Threat hunts won’t start with, but they will generate, IOC. This is because the COIs represent known threats, and if they are known, you shouldn’t search for them, you should block them.

Data-driven hunting begins with hunters reviewing log files, often looking for outliers or anomalies. This type of hunting is often where organizations first get their feet wet with threat hunting, but it can often be overwhelming as it can feel like searching for a needle in a haystack. Hypothesis-driven hunting is more specific. It starts with a broad question and, through a series of refinements, is narrowed down to a specific hypothesis usually focused on a specific behavior (often referred to as a TTP). A search team will then scan an environment for that specific behavior to see if an organization has been affected.

Now another key element to the definition of threat hunting is that it is No Tool-based: Threat hunting is based on people and processes. Just because an organization has a threat hunting system platform doesn’t mean they are hunt. But if you have the people and processes in place, you can hunt using almost any security tool. Despite this, most organizations struggle in the early stages of creating a threat hunting program. To help counter this, we’ve put together 5 best practices every MSSP and MDR vendor should consider when setting up a threat hunting program.

5 Best Practices for a Threat Hunting Program

In a Threat Hunting program, visibility is key.

As we have said, a threat hunting program is not based on a specific platform or tool, but is based on people and processes. However, you can significantly improve the results of your threat hunting program by ensuring that your search teams have access to the Correct Registration data. If your organization has focused primarily on traditional block-and-board security, this means you’ll probably need to start ingesting a lot more log data. After all, threat hunters can only hunt what they can see. This will require log data from your security tools, endpoints, and network data. If you want to dig into this, we’ve put together a pretty comprehensive list of the best log data at the endpoint and network level.

Baselining is hard, but it’s worth it for threat hunting programs!

Another very important element to a successful threat hunting program is a process called baseline. This is something every security team should be doing, to one degree or another, but for threat hunting it is absolutely crucial. This is because the behaviors that hunters look for are not always malicious, sometimes they are simply suspicious.

Is that Excel spreadsheet accessing an AWS endpoint the first stage of a malware attack?

Or are you a power user who has automated a time-consuming part of your job?

Threat hunters use the baseline to determine what is normal in an environment. While this may seem like a daunting task, especially for MDRs or MSSPs that may have dozens of clients or more, it’s good to keep in mind that this will be an ongoing practice, so it’s not a prerequisite on the hunt for threats, but more co-requisite. We recommend using a collaborative platform to document these ongoing findings to help with knowledge transfer.

Never stop hypothesizing

As security teams mature their threat-hunting program, they often begin to incorporate hypothesis-driven hunting into the mix. As we mentioned, this type of hunting will start with the assumption that a network has been compromised, using a particular vector, and will ultimately boil down to the “behaviors” you would expect to see from that adversary.

This is where many organizations initially stumble and end up turning to IOCs.

This often happens because teams aren’t sure where to derive these behaviors from, especially since many threat intelligence “briefs” don’t mention them. This is where hunters must draw on a wide range of experiences, including previous experiences and past incidents. For MSSP and MDR providers, this can be especially challenging if their clientele spans industries, sectors, and geographies. This challenge can be multiplied when threat hunting teams are faced with the task of not only developing, testing, and deploying searches, but also keeping them up to date. In this case, or for teams just starting out, threat hunting content platforms can help by providing a broad spectrum of threat hunting content that is developed and tested and can be instantly deployed to security tools from multiple vendors. . For example, a community account on Cyborg Security’s HUNTER platform offers dozens of threat hunting packages for some of the most common adversary behaviors, absolutely free! This can give hunting teams the breathing room they need to catch up and keep up with the ever-evolving threat landscape.

Using hunting as a force multiplier

A common mistake security teams make when starting threat hunting is to view threat hunting as an island unto itself. The team searches, finds and repairs. The reality is that threat hunting should be used as a force multiplier. When hunters identify something that has eluded them, it is critical that actionable detection content be created so that in the future, SOC teams can respond appropriately and hunters do not waste their time hunting the same threats over and over again.

Nope Single “Chase the squirrel”

One challenge many security teams may face is the temptation to just “chase the squirrel” when looking for threats. This happens when a new high-profile vulnerability, malware, or exploit is released, often to mainstream media outlets, and especially for MSSP and MDR vendors, usually accompanied by a flurry of emails and phone calls. to find out if customers have been impacted While this is a tall tale, in security, as old as time, the reality is that it is also the least efficient use of threat hunting resources. This is because hunting teams must actively look for behaviors that an adversary would exhibit once within An environment. Can they look for the exploitation of a particular vulnerability?


But especially in the “fog of war” that often surrounds these big events, all the details of the attack are often not fully known or developed. But if you overlay active monitoring for exploitation (typically done by a SOC team) with looking for the known behaviors adversaries exhibit once they get past the perimeter, you make your organization’s security even stronger.


MSSP and MDR providers have become a crucial link in the chain for the security of organizations. And with this he has realized that traditional reactive security is no longer enough, and that there is a critical need to provide advanced services like threat hunting to keep adversaries at bay.

The Threat Hunting Program: 5 Best Practices for Success post first appeared on Cyborg Security.

*** This is a syndicated Security Bloggers Network blog from Cyborg Security written by Josh Campbell. Read the original post at: