Threat-Hunting Process

Introduction

Consider this: No system is absolutely protected from cyberthreats. Even in the case where the best, most recent and effective security solutions are in place, there is always the chance cybercriminals will develop a new form of attack that can bypass layer after layer of protection controls.

In fact, this very premise is the basis of threat hunting — the process of looking for anomalies within a company’s network or devices and determining if they represent the trails left by stealthy attackers. As expected, this is no simple task; hunting for cybercriminals will require an experienced team, lots of data (such as logs from network devices, servers and endpoints), a solution for centralizing data collection and analysis, and actionable knowledge about threats to an environment.

With all these variables and requirements, it is essential to adequately manage all the threat-hunting elements. Otherwise the hunt effectiveness can suffer a great deal, leading to a false sense of security, while cybercriminals reign unopposed.

The best solution is understanding the threat-hunting process. Here are five simple steps that will ensure your hunt is a success.

1. Preparing for the Hunt

Before starting to proactively hunt cyberthreats, it is necessary to confirm that the essentials are in place: the hunter, the data and the tools.

  • The Hunter: To put it simply, cyberthreat hunting is perhaps one of the hardest security disciplines to master. Not only does it require advanced technical knowledge in areas such as network analysis, intrusion detection, forensics and malware analysis, but it will also require non-technical skills such as understanding the organizational business process. A good starting point for any cyberthreat-hunting process is making sure your team has the necessary experience.
  • The Data: No hunting can be done without sufficient data. Assets such as servers, network devices (firewalls, switches, routers), (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Claudio Dodt. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/9DafbS97j9I/