E16-SPGC. This document does not contain technology or Technical Data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

Copyright. Unpublished Work. Raytheon Company.Customer Success Is Our Mission is a registered trademark of Raytheon Company

[Proactive Security]Building a Threat Hunting Program

Presented by:

Carl ManionManaging Principal

2

Proactive Threat Hunting

• Proactive Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions.

• Threat hunting combines the use of threat intelligence, analytics, and automated security tools with human smarts.

• Rather than waiting for the inevitable data breach to happen, proactively scout around for and hunt down bad actors and malicious activity on your networks.

3

THREAT HUNTING PROGRAM | Key Components

1) Starts with Visibility.

2) Tools and Automation are important.

3) Training is critically important.

4) Requires skilled, experienced analysts, engineers, and incident responders.

5) Metrics are important.

6) Intelligence is more than a buzzword.

VISIBILITY

TOOLSMETRICS

TALENT TRAINING

INTELLIGENCE

1

2

34

5

6

4

THREAT HUNTING PROGRAM | Visibility

• Network traffic, hosts, end-points, logs, threats• Must be able to easily pivot and build timelines• Hunting can be time consuming, so access and

performance must be part of your key considerations• Investigation directly supports detection and response

1

5

THREAT HUNTING PROGRAM | Tools & Automation

• SIEM• NMS / IDS / IPS• EDR• Threat “Intelligence” Feeds/Platform/Services• SOC Orchestration / Workflow Automation• Overall, requires platforms more than tools; let the

smart humans define what they need to see

2

6

THREAT HUNTING PROGRAM | Training

• Define the results for the skills or capabilities you hope to attain

• Outline training plans / topics / objectives; align with threat hunting strategy and plans

• Mentoring / Teaming / On-the-job training (OJT)• Informal training counts too!• List job/role related training expectations of staff• Remember to account for training costs; timeframes;

schedules

3

7

• Well rounded individuals

• Driven / Motivated to learn

• Analytical mind, able to apply concepts and approaches to variety of different toolsets

• Able to think like adversary; can transition between defensive/offensive mindset

• Train, train, train!

THREAT HUNTING PROGRAM | Skills (Talent)

Responds to Alarms. Searches for Clues.

4

8

THREAT HUNTING PROGRAM | Metrics

• Attack “Dwell Time”– What is it? Lifespan of an Attack; How long the attacker was in your

environment. – Why it matters: The longer the attacker has to operate in your

environment, the more damage they can do. – The goal is to reduce dwell time as much as possible, so attackers do not

have time to achieve lateral movement and remove critical data.

• Mean Time to Detection– What is it? The mean (average) time it takes to detect malicious or

anomalous activity within an environment.– Why it matters: Identifying and containing an attacker, as quickly as

possible, is of paramount importance to minimize damage.

Focus Areas To Reduce Dwell Time:1. Fundamental security controls2. Granular visibility and correlated

intelligence3. Continuous endpoint monitoring4. Actionable prediction of human behavior5. User awareness (user behavior analysis)

5Examples:

9

THREAT HUNTING PROGRAM | Intelligence

6• Buzzword within the industry; includes wide range (from malware analysis

to traffic monitoring, to open source, or specific info from solution vendors, etc.)

• The more granular, the better (need IPs, protocols, port numbers, domain names URLs, etc.)

• Must be updated regularly (must be valid, relevant and timely)• Must have context to be actionable and to provide value to your threat

hunting• Helps maximize the effectiveness of your security resources by allowing

them to focus their time on the highest risk areas and high priority events• Focus more on TTPs and trends, rather than specific IoCs; think about

how it may relate to known/on-going attack campaigns

The use of information collection and analysis to

provide guidance and direction to threat hunters in support of their theories and decisions.

10

1) Too much reliance on “hunting tools” or any singular data type:Logs lieEndpoint security tools miss thingsVendors can’t fully automate hunting

2) Alert-centric workflows

3) Open loop processes

4) Bias and fatigue (mix it up to keep the work interesting)

5) Failure to keep up with latest news / intelligence

THREAT HUNTING PROGRAM | Risks

11

COMPREHENSIVE APPROACH: Network, host, and log data Cyclical / Closed Loop Approach Begin with a question, theory, or metric and work toward answering

that question through research and proactive hunting. Build repeatable process workflows and queries back into your tools,

through custom content, as you learn. Seek to reduce mean-time-to-detection and response; find intrusions

and compromises more quickly, and earlier in the cyber attack chain Train. Change it up. Train some more. Repeat. Continuous learning; Revisit investigations and hunting techniques!

THREAT HUNTING PROGRAM | Summary

1205/03/2023