How to Build a Threat-Hunting Tool in 10 Steps

Introduction

If you are planning on building your own threat-hunting tool but don’t know where to start, then this could be just the article for you. We will be taking a look at the specific steps that you will need to follow when building a threat-hunting tool of your own. Each environment is different, and the tool requirements of each one will therefore be completely different depending on the organization’s exposure to threats, but there are important commonalities that we can focus.

The ideal threat-hunting tool should be able to analyze vast amounts of data, especially system logs and system analytics. There are many different application suites out there that can do exactly that, ranging from free and open-source projects all the way to enterprise-grade products that cost thousands of dollars. Whichever route you decide to take, you will have to factor in costs and functionality that will suit your particular needs.

Deciding on a Platform to Build From

There are many different threat-hunting platforms that you can choose to build your tool from. For our example, we will be using the platform formerly known as ELK Stack, now called Elastic Stack. Elastic Stack is comprised of multiple tools, which are:

  • Elasticsearch: A distributed JSON-based search and analytics engine that has been designed to scale horizontally and is both reliable and easy to manage
  • Logstash: This is the point at which data ingestion takes place and has many different plugins available
  • Kirbana: Lets you visualize your data and turn it into a valuable source of information that’s easy to navigate
  • Beats: This is the end-point application that ships data back to Logstash and Elasticsearch

Using all of these components together allows you to monitor your IT environment with a purposefully-designed threat-hunting tool that you can build (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/kufM1KXBhao/