Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but they remain unsure of how to start threat-hunting or how far along they are in developing their own hunt capabilities. So, the question is --How can you quantify where your organization stands on the road to effective hunting?
Here, we will discuss a general model that can map threat-hunting maturity across any organization.
What is Threat Hunting?
It the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
It is not something which can be automated fully. Instead, Threat Hunting is more 'manual' or 'Machine-assisted'. In fact, one of the chief goals of hunting should be to improve your automated detection capabilities by prototyping new ways to detect malicious activity and turning those prototypes into production detection capabilities.
Hunting Maturity Model
There are three factors to consider when judging an organization’s hunting ability:
-
The quantity and quality of the data they collect;
-
In what ways they can visualize and analyze various types of data;
-
What kinds of automated analytic they can apply to data to enhance analyst insights
Evaluation is needed in any methodological operation to evaluate the maturity of your threat hunting you can use the “Hunting Maturity Model (HMM)” which gives you a set level to help you locate your enterprise threat hunting model posture according to four levels:
-
Level 0: Initial
-
Level 1: Minimal
-
Level 2: Procedural
-
Level 3: Innovative
-
Level 4: Leading
HM0 — Initial
At HM0, an organization relies primarily on automated alerting tools such as IDS, SIEM or antivirus to detect malicious activity across the enterprise. They may incorporate feeds of signature updates or threat intelligence indicators, and they may even create their own signatures or indicators, but these are fed directly into the monitoring systems. The human effort at HM0 is directed primarily toward alert resolution.
HM0 organizations also do not collect much information from their IT systems so their ability to proactively find threats is severely limited. Organizations at HM0 are not considered to be capable of hunting.
HM1 — Minimal
An organization at HM1 still relies primarily on automated alerting to drive their incident response process, but they are actually doing at least some routine collection of IT data. These organizations often aspire to intel-driven detection (that is, they base their detection decisions in large part upon their available threat intelligence). They often track the latest threat reports from a combination of open and closed sources.
HM1 organizations routinely collect at least a few types of data from around their enterprise into a central location such as a SIEM or log management product. Some may actually collect a lot of information. Thus, when new threats come to their attention, analysts are able to extract the key indicators from these reports and search historical data to find out if they have been seen in at least the recent past.
Because of this search capability, HM1 is the first level in which any type of hunting occurs, even though it is minimal.
HM2 — Procedural
If you search the Internet for hunting procedures, you will find several great ones. These procedures most often combine an expected type of input data with a specific analysis technique to discover a single type of malicious activity (e.g., detecting malware by gathering data about which programs are set to automatically start on hosts). Organizations at HM2 are able to learn and apply procedures developed by others on a somewhat regular basis, and may make minor changes, but are not yet capable of creating wholly new procedures themselves.
Because most of the commonly available procedures rely in some way on least-frequency analysis (as of this writing, anyway), HM2 organizations usually collect a large (sometimes very large) amount of data from across the enterprise.
HM2 is the most common level of capability among organizations that have active hunting programs.
HM3 — Innovative
HM3 organizations have at least a few hunters who understand a variety of different types of data analysis techniques and are able to apply them to identify malicious activity. Instead of relying on procedures developed by others (as is the case with HM2), these organizations are usually the ones who are creating and publishing the procedures. Analytic skills may be as simple as basic statistics or involve more advanced topics such as linked data analysis, data visualization or machine learning. The key at this stage is for Analysts to apply these techniques to create repeatable procedures, which are documented and performed on a frequent basis.
Data collection at HM3 at least as common as at HM2, if not more advanced.
HM3 organizations can be quite effective at finding and combating threat actor activity. However, as the number of hunting processes they develop increases over time, they may face scalability problems trying to perform them all on a reasonable schedule unless they increase the number of available analysts to match.
HM4 — Leading
An HM4 organization is essentially the same as one at HM3, with one important difference: automation. At HM4, any successful hunting process will be operationalized and turned into automated detection. This frees the analysts from the burden of running the same processes over and over, and allows them instead to concentrate on improving existing processes or creating new ones.
HM4 organizations are extremely effective at resisting adversary actions. The high level of automation allows them to focus their efforts on creating a stream of new hunting processes, which results in constant improvement to the detection program as a whole.
-
Guys, what do you think of this post on Hunting Maturity Model?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM