A threat hunting team can be better enabled when given the time and interest to focus on what it wants.
Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, David Bianco, principal engineer, cybersecurity and Cat Self, lead information security analyst, Target, explained how the threat hunting team was evolved at the company.
Bianco said that Target had the idea to develop the threat hunting team “into something more modern, as we had the same program for several years.”
Looking at the existing program, the company asked what was working well and what was not working as well, and assessed what else could be accomplished. Self said that by working with level 2 and 1 analysts and engaging them on what they were frustrated by and what they would like to make changes on, they were able to determine three ways to improve the threat hunting efforts:
- Program focus – change focus to align with what Target needed the program to do
- Operational consistency – so they know how things are running
- Hunt topic strategy – to gain a layer of strategy on top of hunting
“The program was created to find new incidents that had been missed,” Bianco added, saying that over time the focus of the program shifted and moved from finding incidents and ensuring visibility, to being a source of knowledge transfer between SOC analysts.
He said that human scale detection cannot be relied upon, and the “number one goal was to tweak the focus from finding incidents to figuring out how to do better at automated detection.”
Self also said that an analyst would determine and research a topic as well as carry out associated work and writing, on top of the full-time job, and this was being done for one week in an eight-week cycle. “It was asking too much to do all the work,” she said.
Bianco said the concept was changed to include a mix of long term projects and special requests, as well as asking the analysts what they wanted to hunt on.
They concluded by recommending a working strategy which includes hiring threat hunters, allowing them time to prepare and doing threat hunting effectively to find what is not known and not being exploited, and to avoid “hitting everyone everywhere.”