When most people think of threat hunting, they think of uncovering unknown threats. Would you believe me if I told you that is only ONE of many (better) reasons to show value with threat hunting?
The PEAK Threat Hunting Framework incorporates three distinct hunt types: hypothesis-driven, baseline and model-assisted threat hunts. Each hunt type follows a three-stage process: Prepare, Execute, and Act. Each phase of a hunt also integrates Knowledge, which together make up the PEAK acronym (Prepare, Execute, and Act with Knowledge).
Through all your preparing, executing and acting, you are learning about your environment and a specific threat. With all this work being put in, you have new insight that needs to be shared. This is where the “Knowledge” aspect of the PEAK Threat Hunting Framework really shines and where you can reap the most benefits with threat hunting. You take that insight and build new detections, find data gaps, or even new hunt ideas.
(This article is part of our PEAK Threat Hunting Framework series. Explore the framework to unlock happy hunting!)
Taking your hunting knowledge and creating key deliverables is where you, as a hunter, can show the impact of your work. Each threat hunt you perform can have the deliverables listed below as options for outputs. These are key to measuring your hunting success and ensuring you are maturing your hunt program.
First and foremost, you may find suspicious activity your automated detections missed when you are digging through events as part of the Execute phase. Anything like this should be escalated immediately to your SOC!
When you escalate a finding, make sure to triage the suspicious activity first. This will help your SOC get a head start on the investigation PLUS keep a good relationship with your fellow teams. Triage could be as simple as gathering user, host, and surrounding activity information. Anything you can do to help support your case will be beneficial for the SOC to investigate quickly.
As you progress through your hunt, take notes about:
- What you're doing
- Why you’re doing it
- Any findings along the way
Details matter. Someone other than you should be able to recreate your results. This detail is extremely important when it comes to acting on the hunt. Queries executed, data results, and even screenshots are quite helpful when going back through what took place over the course of your hunt — whether for re-hunting or training up new threat hunters.
Take action on this documentation and write up an executive summary of everything you did during your hunt. Be sure to include:
- Any key findings
- Whether you proved or disproved your hypothesis
Take your work even further and develop a Knowledge Base article or Wiki pages to share with your teams. These can be a great way to ensure all of your key hunt findings and knowledge is captured in a repository, which can be shared out.
New and Improved Detections
One of the biggest ways you can make an impact is to improve your automated detection using what you found during a hunt. As you execute a hunt, you are figuring out how to find the exact malicious activity your hunt is scoped around. These methods are specifically developed based on your environment and knowledge, thus providing additional value over out-of-the-box detections. The types of detections you create may vary and don’t always have to be signatures. Use the PEAK’s Hierarchy of Detection Outputs to determine what the best fit is as a detection output.
Outside of brand new detection ideas, look for ways to improve existing detections. This ensures you make the most out of what you already have in place.
Gaps and Risks
Threat hunting provides insight into what’s going on in our environment. You look through the data and baseline activity in your organization. As part of this, you may come across gaps in your people, processes, tools, or data. These gaps could be large risks that your company is taking, potentially without knowing! Examples of this could be:
- A particular data source is missing an event type that is valuable for monitoring.
- Multi-factor authentication (MFA) is not turned on in your organization.
Similar to reporting threats, share these newly identified gaps and risks with the appropriate stakeholders for remediation.
One of the most difficult challenges with threat hunting is staying in scope. Often you come across intriguing events that lead you down a rabbit hole of an investigation. Watch out for scope creep! Any out of scope hunting will impact your hunt timeline.
In order to hunt efficiently, you may need to revise your hunt hypothesis to make the hunt more feasible. Even though you adjust the hunt scope, you don’t want to overlook the out of scope work. Take those additional hunt ideas and include them in your hunt backlog for future execution.
Stakeholder Reports and Briefings
Before you wrap the Act phase of your hunt, take your findings and share it with your teams. Teaching others what you have learned as part of your hunt will help maximize the value and give them information they can apply to their roles. Schedule technical readouts with all your blue team functions:
- Threat Hunt
- Detection Engineering
- Threat Intelligence
- Incident Response
Make sure you don’t forget to include the owners or administrators of the tools and logging you’ve been hunting in. For example, if you were hunting around a high-priority web application, then include the data owners, application owners, and administrators of the applications and the system(s) it runs on. This action empowers you to share your knowledge and allows for time to gather feedback on your work. Engaging in talks with your fellow teams could potentially spark new ideas for hunts or detections!
Want to really show your value and impact to the organization? Schedule an executive readout with your leadership teams. This gives them a closer look at how threat hunting is beneficial and positively impacting. Highlight whether you proved or disproved the hunt, and any key findings worth sharing.
Another option is to do a highlight reel of recent hunts, quarterly if that is more feasible. This could be presented as a readout or an email that shares the most recent wins for the team. This helps shine a light on all your hard work and ensures stakeholders are taking action on your findings.
While there are many options for deliverables of hunts, not all outputs will apply for each hunt. Each hunt is unique and will look different. Don't let this list limit you! Hunt outputs can take all types of forms.
Regardless of the hunt outcome, you gained a lot of knowledge. Anytime you share that knowledge, you improve your organization's security posture and show the value of your hunting — after all, knowledge is power!