Intelligent CISO Issue 27 | Page 50

FEATURE The end goal of any hunting team should be to automate and enhance current procedures. and every time, but you can begin measuring the success and quality of the data sets to determine what is and what isn’t leading to improvements. 3. Advocate for getting new data embedded into the process. As the organisational threat model changes, gaps in coverage can quickly be identified. This will allow for a case to be made to collect and leverage new data sources to accomplish the hunting goals. Organisations new to threat hunting often overextend the area of data source identification. This is especially the case for those that take the SIEM approach to data collection and aggregation. It is not the volume of data that matters, but one’s ability to identify threats within that Greg Iddon, Senior Product Marketing Manager, Managed Threat Response, Sophos data. It is far better to take a threat-centric approach to data collection, whereby a type of threat or vector is considered and then data that aids the detection of that threat is identified for collection. Frameworks like MITRE’s ATT&CK are invaluable tools to help map threat hunting capabilities and to reveal blind spots. Another common failure made during data collection is to not make full use of the potential of a data source. To give an example, Microsoft Windows event logs are an incredibly powerful source of data for threat hunters, but the default security audit policy leaves many events not logging with enough detail to aid hunters and requires manual reconfiguration to tune up event details. Care and consideration must be given to each data source to avoid simple but common pitfalls such as this. Use of hunting data Hunting by design is there to identify potential threats that circumvent conventional monitoring controls. This requires formalised procedures and workflow to ensure that as new hunting hypotheses are generated, they can easily flow through the ‘system’ and go through the necessary testing, analysis and refinement. The end goal of any hunting team should be to automate and enhance current procedures. To be more specific, as the hunting team completes hunts and those hunts are turning up malicious or anomalous activity that is worthy of investigation, those methods should be taken and turned into automated searches or queries that can be run by the monitoring team. This threshold of promotion will vary between organisations and teams but is an important step to keep the hunt team looking forward at new possible threats. u 50 Issue 27 | www.intelligentciso.com