We all love finding the bad stuff in logs. The thrill of a stats command revealing an anomaly you didn’t notice before. Your SPL returns 10 results; all of them are malicious, and suddenly, you are off to the races. But what does your manager do with that? How do they show the value of your team if those 10 results aren’t malicious? How did your team come to be, and where is it going?

Today, we are going to be talking about a manager’s view of threat hunting. This post is meant to give you some insight into what your manager really does all day (hint: it is mostly Excel and PowerPoint). If you’re a manager, hopefully, this provides new ways to approach and think about threat hunting in your organization.

Why Hunt?

Hopefully, your organization has already established this, but if not, let's discuss why incorporating threat hunting is essential for your organization. Our goal is to define the purpose and return on investment for threat hunting. Saying, “I’m going to find the APT hiding in our logs,” isn’t enough to justify bringing in a new program, so what is?

There are several reasons why we should hunt, and oftentimes, people get focused solely on finding the threats. There are several other reasons why threat hunting is good for your environment though:

1. Find unknown threats that bypassed reactive security controls

2. Identify gaps in security protections

3. Improve detection capabilities for SOC/IR

4. Validate existing security controls and investments

5. Compliance with regulations and policies

The justification for this function may expand based on your hunt team's resources, but these serve as a strong starting point. As a manager, I can find a way to spin any hunt as a win for the organization by sorting findings and outputs into these buckets.

Building the Right Team

When building out a threat hunting team, diversity of experience and thought is key. Anyone can hunt and it should not be some gate kept secret art that we teach only a select few.

Generally, you should look for folks who:

• Are relentlessly curious

• Have a strong analytical mindset

• Experienced a variety of different security events

And you might think to yourself, well, those are generic and decidedly unhelpful, but these are only guidelines. You must decide what is important to you and how to test for those attributes.

SOC analysts and incident responders have the easiest time moving into threat hunting because of their foundational knowledge and similar investigation skills. However, I have also met red teamers who made excellent threat hunters, so don’t rule people out just because they don’t have the exact experience you would expect.

As a manager, our job is to take the right folks and foster a culture that allows the team to thrive. This means you need the right processes and technology, in addition to the people.

Keep in mind that the right team might not be the ideal team. Often, we see organizations that can’t swing full-time, dedicated threat hunters. That is not a prerequisite to threat hunting, though.

If you only have a team of five, your job as a manager is to ensure there is dedicated time for threat hunting. You also need to ensure that the team receives appropriate training if they are new to threat hunting. There are numerous threat hunting training opportunities, ranging in cost and instruction type, that your team can leverage.

Note that I said dedicated time for threat hunting. This is the most important part of building a team to hunt. If your team is getting interrupted or context switching, you won’t get the real value from threat hunting that exists.

Showing Value

In all organizations, you will have to show the value of your function. If you are trying to start a threat hunting team, you may even have to show the value of expanding to a dedicated function before being given the resources to do so. It may be helpful to do a few small threat hunts to show value - check out HEARTH which has dozens of threat hunt ideas that can get you started!

One of the key roles of a manager is to constantly show the value of your team members and your organization. We become very good at bragging about our team while tying it back to the interests of our company.

But what are the ways to show value?

Every single threat hunt must have an output.

Every.

Single.

Threat Hunt.

Every.

Single.

Time.

If you take nothing else from this post, please take into account that there is always something to find and show from hunts.

Did you create an awesome query that only returns a handful of results? Submit it for a new detection.

Did you find that your finance organization approves large wire transfers via email only with no phone call check? Propose a new policy measure requiring verbal confirmation over a certain amount.

Did you realize your email system is blocking all .mp3s but not all .mp4s? Propose blocking the .mp4 file extension as well.

So many times, I see threat hunters find nothing “bad” and end their hunt discouraged and frustrated. When in actuality, they found a lot of stuff that affirmed the organization was moving in the right direction from an investment perspective, and there were opportunities for internal improvements.

What About Metrics?

Metrics are a great way to show the value and trending impact of threat hunting at your organization. Most executives rely on a variety of metrics to take the temperature of their organization and make strategic changes.

We will do an entirely separate post on threat hunting metrics, so keep an eye out for that. In the meantime, here are a few quick win metrics that will help you communicate value to the organization:

1. Number of new detections created from threat hunts

2. Number of new incidents raised as a result of threat hunts

   1. Either during the threat hunt or as a result of threat hunt outputs

3. Number of outputs produced as a result of threat hunts

4. Number of threat hunts conducted by MITRE Tactic or Kill Chain phase

5. Threat hunting team maturity level (HMM)

Communicating Value

We did some threat hunting, and we tracked some metrics. Now how do we go about communicating all our greatness? That is where a manager is key.

My job as a manager is to constantly show our work and sell the narrative around that work. Threat hunts that happen in a bubble are not helpful to anyone. I encourage you to have threat hunting readouts with at least one team outside of the threat hunting organization. These should discuss what you threat hunted, what you found, and the outputs from the threat hunt.

From there, communicating threat hunting wins and statuses on at least a monthly basis should be standard. Your leadership should know the types of hunts that are ongoing and the progress of the outputs. Combine these updates with your metrics, and you will both show and communicate value regularly.

A good stretch goal is to start collaborating with other teams to formulate new hunt ideas and hypotheses. This will increase the vested interest in your work and potentially uncover new areas to hunt that you hadn’t considered before!

Key Takeaways

• Communicate why you are hunting - it’s more than trying to find bad!

• Build the right team around you

• Have dedicated time to threat hunt

• Every hunt must have an output

• Create metrics to show trends and impact of your work

• Don’t work in a bubble - be transparent about your hunting

Call to Action

• Develop new outputs for your next threat hunt

• Keep an eye out for our next post on deep-diving threat hunting metrics

• What else do you want to see from a manager's perspective? Prioritizing hunts? Fighting for new resources? Let us know!

Happy thrunting! 🚀

Resources

• https://www.splunk.com/en_us/blog/security/peak-threat-hunting-metrics.html

• https://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html

Leave a comment