Threat hunting has become an essential feature of modern security programs, but when was the last time you stopped to ask, “Why?” When hunting emerged, most organizations used it to discover incidents that their automated detection systems missed. However, as hunting has matured, we’ve come to realize that its impact goes far beyond just finding security incidents.
Basecamp: Finding incidents
In the early days of threat hunting, the goal was to identify security incidents that slipped past automated detection systems. Even sophisticated detection platforms could only identify malicious activity that they had been designed to look for. Since humans can detect patterns that machines can’t, hunters would pore over data to find malicious activities that didn’t trigger alerts. Any incidents uncovered through hunting were considered bonus finds.
While finding new incidents is still an essential part of threat hunting, treating hunting as a human-powered detection platform is expensive and time-consuming. To find the same type of activity again in the future, hunters must repeat their hunts. The more hunts they repeat, the fewer new hunts they can develop. Repeatedly performing the same few hunts quickly bogs down the entire hunting program.
Even worse, if your goal is simply to find incidents, you measure the success of your program by the number of incidents you opened during your hunt. This is a shortsighted metric since there’s no way to ensure that threat actors are exhibiting the specific behaviors you’re looking for during the period in which you’re hunting them. In fact, it’s common for a hunt to complete without finding a single incident — but that doesn’t mean it failed.
Up the slope: Improving detection
While unearthing new incidents provides value, there are more impactful reasons to hunt. Savvy hunting programs eventually realized that their goal was not only to find incidents but also to uncover better ways to detect these malicious behaviors automatically.
As hunters look for malicious behaviors, they find new ways to detect them that the organization never had before. Even if no malicious examples were present during the hunt, they can often show that they would have detected it had it been present at the time. Turning these hunts into automated detection, therefore, became a driver for continuous improvement in the organization’s ability to detect malicious activity.
The summit: Improving security posture
Modern threat hunting leaders are beginning to understand that there’s an even more strategic reason to hunt: continuously improving security posture throughout their entire organization. Hunters routinely pore through data that no one else is looking at, or they look at popular data in new ways. This not only leads them to unique insights but also to unique views of the organization’s security shortcomings. In addition to improving automated detection, hunting also provides a mechanism to identify gaps in visibility, tooling, or team capabilities that hinder security. By reporting these gaps and driving remediation, hunting enhances resilience across all security functions, not just detection.
Essential for PEAK performance: a new framework
The new vendor-agnostic PEAK Threat Hunting Framework from SURGe is designed to foster continuous improvement through hunting. It provides detailed processes for different types of hunts, guidance on creating detections and other deliverables, and metrics focused on telling the story of hunting's impact on an organization’s overall security.
Each PEAK hunt encapsulates findings into deliverables that improve security. For example, hunters create new detections or improve existing ones so you can find more threats automatically. Identified visibility gaps or misconfigurations are tracked to resolution, enhancing capabilities and hardening systems. Activity baselines provide knowledge to augment people and processes across the security organization.
PEAK defines several key metrics to help you tell the story of your security impact. These include:
- The number of new detections created or improved: This quantifies the improvement your hunt made to the organization’s ability to detect malicious activity automatically.
- The number of incidents opened as a result of a hunt or the detections resulting from a hunt: While most teams already track the number of incidents they open during a hunt, tracking the number opened later as a result of new or updated detections from hunting is a great way to show the long-term impact of hunting. These are incidents that you otherwise would never have noticed.
- Visibility gaps, misconfigurations, and vulnerabilities identified and closed: These show the concrete steps your organization took to harden itself against attack, discovered due to hunting.
Consistently tracking these metrics over time demonstrates the true impact of a mature hunting program.
Realizing the full potential
While finding unknown threats remains valuable, modern threat hunting has moved beyond this limited view. Leading hunt teams realize that continuous security improvement across the organization is the pinnacle of threat hunting success. The PEAK framework provides the methodology and metrics to unlock hunting's full potential.
Want to take your hunting program's impact to the next level? Download our complimentary PEAK ebook today.
