Advice for Threat Hunting
Threat hunting is the next evolution of security. Let's look at some keys to keep in mind.
Join the DZone community and get the full member experience.Join For Free
We had the opportunity to speak to Greg Bell, CEO, Brian Dye, CPO, and Alan Saldich, CMO of Corelight during the IT Press Tour in San Francisco. Corelight is the enterprise offering of Zeek (formerly Bro) initially developed to protect the severe environment of the Department of Energy and the Energy Sciences Network including the NERSC supercomputing facility at Lawrence Berkeley National Laboratory.
Want to see where threat hunting fits in with the broader security landscape? Check out The Future of Security, Part One.
The threat hunting workflow includes:
- Having visibility into the network and the endpoints so you know the environment and have context for threat intelligence.
- Looking out for anomalies and following the unusual activity with IPs/domains, certificates, and tools.
- Confirm the thesis of a breach with understanding, documentation, containment, and remediation.
- Automating results and response with SIEM queries, algorithms, coverage, and training.
The threat hunting process ties into the automated incidence response process: triage, alert, remediate, and recover. Only 10% of organizations currently have a threat hunting team. Threat hunting gives security professionals a chance to find and resolve the problem and that is more rewarding than simply preventing breaches. Threat hunting relies on data while the response relies on alerts.
Brian recommends blending staff to do both threat hunting and incident response so you don’t burn people out just doing incident response. Threat hunting is driving a security analytics revolution
The best network data has three attributes to fuel threat hunting:
- Adaptive data that’s clean and accurate
- Community defense with identified SSL as a unique handshake
- Irreplaceable insight at the network traffic level
- Threat hunting is the new trend driven by the recognition that detection efforts can and will be bypassed.
- Threat hunting focuses on finding unusual activity hidden within normal traffic and leads to improved incident response through automation and better understanding.
- The right data must be adaptive, community-driven, and insightful.
Opinions expressed by DZone contributors are their own.