How to Set Up a Threat Hunting and Threat Intelligence Program

Threat hunting is an essential component of your cybersecurity strategy. Whether you’re just starting out or at an advanced stage, this article will help you grow your threat intelligence program.

What is threat hunting?

The cybersecurity industry is moving from a reactive to a proactive approach. Instead of waiting for cybersecurity alerts and then addressing them, security organizations are now deploying red teams to actively look for breaches, threats and risks, so they can be isolated. This is also known as “threat hunting”.

Why is threat hunting necessary?

Threat hunting complements existing prevention and detection security controls. These controls are essential to mitigating threats. However, they are optimized for low false positive alerts. Hunting solutions, on the other hand, are optimized for low false negatives. This means that anomalies and outliers that are considered false positives for detection solutions are solution hunting tracks, to be investigated. This enables threat hunting to close existing gaps between detection solutions. A strong security strategy will use both types of solutions. Tal Darsan, manager of security services at Cato Networks, adds, “Overall, threat hunting is crucial because it enables organizations to proactively identify and address potential security threats before they can cause significant damage. Studies recent studies show that the waiting time for a threat in an organization’s network until the threat actor reaches its final objective could last for weeks or months. Therefore, having an active program of Threat Hunter can help quickly detect and respond to cyber threats that other security engines or products miss.”

How to threaten the hunt

A threat hunter will start by doing an in-depth investigation of the network and its vulnerabilities and risks. To do this, they will need a wide variety of technology security skills, including malware analysis, memory analysis, network analysis, host analysis, and offensive skills. Once their research obtains a “purpose”, they will use it to challenge existing security assumptions and try to identify how the resource or system can be breached. To prove/disprove their hypothesis, they will conduct iterative hunting campaigns.

If they “succeed” in the breach, they could help the organization develop methods to detect and fix the vulnerability. Threat hunters can also automate some or all of this process, so it can scale.

Tal Darsan adds “MDR (Managed Detection and Response) Teams play a critical role in achieving effective threat research by providing expertise and specialized tools to monitor and analyze potential security threats. Hiring an MDR service provides organizations with expert cybersecurity support, advanced technology, 24/7 monitoring, rapid incident response, and cost effectiveness. MDR service providers have specialized expertise and use advanced tools to detect and respond to potential threats in real time.”

Where to look for threats

A good threat hunter must become an Open Source Intelligence (OSINT) expert. By searching online, threat hunters can find malware kits, breach lists, customer and user accounts, zero-days, TTPs and more.

These vulnerabilities can be found on the clear web, meaning the widely used public Internet. Also, a lot of valuable information is actually found on the deep web and dark web, which are the layers of the internet below the light web. When entering the dark web, it is recommended to carefully mask your identity; otherwise, you and your company could be at risk.

It is recommended to spend at least half an hour a week on the dark web. However, because it’s hard to find vulnerabilities in them, most of what you identify will likely be from deep and clear networks.

Considerations for your threat intelligence program

Setting up a threat intelligence program is an important process, not to be taken lightly. Therefore, it is essential to thoroughly research and plan the program before starting implementation. Here are some considerations to keep in mind.

1. “Crown Jewel” thought.

When creating your threat hunting strategy, the first step is to identify and protect your own crown jewels. What constitutes mission-critical assets differs from organization to organization. Therefore, no one can define them.

Once you’ve decided what they are, use a purple team to test if and how they can be accessed and breached. By doing this, you can see how an attacker would think about being able to put security controls in place. Continually verify these controls.

2. Choose a threat hunting strategy

There are many different threat hunting strategies you can implement in your organization. It is important to ensure that your strategy meets the requirements of your organization. Examples of strategies include:

• Build a wall and block access completely, to ensure everything related to initial access and execution is blocked
• Build a minefield if you assume the threat actor is already inside your network
• Prioritize where to start according to the MITER framework

3. When to use Threat Intelligence Automation

Automation drives efficiency, productivity and error reduction. However, automation is not necessary for threat hunting. If you decide to automate, we recommend that you ensure:

• Have staff to develop, maintain and support the tool/platform
• Have completed basic crown jewel identification and security cleaning. Preferably, automate when you reach an advanced maturity level
• That the processes are easily repeatable
• You can closely monitor and optimize automation so that it continues to deliver relevant value

The threat hunting maturity model

Like any other implemented business strategy, there are various levels of maturity that organizations can reach. For threat hunting, the different stages include:

• Stage 0: Response to security alerts
• Stage 1 – Incorporation of threat intelligence indicators
• Stage 2 – Data analysis according to procedures created by others
• Stage 3 – Creation of new data analysis procedures
• Stage 4 – Automation of most data analysis procedures

Threat Intelligence Best Practices

Whether you’re building your program from scratch or iterating to improve your existing one, here are best practices that can help you scale up your threat hunting activities:

1. Define what is important

Determine the important assets in your threat space. Consider the “crown jewel” thinking that recommends creating an inventory of your mission-critical assets, checking the risk landscape—how they can be breached—and then protecting them.

2. Automate

Automate as many processes as you can, if you can. If you can’t, that’s okay too. You will get there as you get more mature.

3. Build your network

Protecting yourself from cyber attacks is very difficult. You can never be wrong, while attackers only have to succeed once. Also, they don’t follow any rules. That’s why it’s important to build your network and get (and provide) information from other actors and stakeholders in the sector. This network should include colleagues from other companies, influencers, online groups and forums, your company’s employees from other departments, leadership and suppliers.

4. Think like a criminal and act like a threat actor

Threat hunting means moving from a reactive to a proactive mindset. You can encourage this thinking by looking at threat intelligence, tracking groups, testing tools, and leveraging Purple Teaming for testing. While this may seem counterintuitive, keep in mind that this is how you protect your organization. Remember it’s either you or you’re the attacker.

To learn more about the different types of cybersecurity practices and how to leverage them to protect your organization, The Cato Networks Cyber ​​Security Masterclass Series is available for your viewing.

Did you find this article interesting? Follow us at Twitter  and LinkedIn to read more exclusive content we publish.