Threat Hunting Maturity Model

Introduction

Before moving forward in describing the threat hunting maturity model, we need to understand what threat hunting is. Threat hunting is the act of proactively and iteratively searching a network to detect and isolate advanced threats that exploit organizations’ existing security mechanisms. Hunting can involve the hunt of various type of activities that malicious actors can perform. Hunters use the specific hunting techniques which are the best for a particular activity they are trying to discover.

Hunting can involve both machine-based and manual techniques. Unlike other automated systems, such as SIEM, hunting involves human capabilities to hunt threats with more sophistication. However, automation (such as automated alerting) should still be one of the primary features of the hunt.

The aim of this article is to teach you how organizations can measure their current maturity level and what improvements are required to enhance their security posture. The maturity level determines the capabilities of the organizations, at which time it can be determined to what extent these organizations are capable of hunting and responding to threats.

According to a 2018 Threat Hunting Report:

“From a maturity perspective, nearly 15 percent [of respondents] believe they are cutting-edge, up 8 percent from last year. However, 33 percent of respondents state that their capabilities are limited, a jump of nearly 6 percentage points higher from the previous year.”

The Hunting Maturity Model (HMM)

Hunters must consider what makes up a good hunting infrastructure by taking the definition of hunting into consideration. When assessing a corporate organization’s hunting ability, you need to consider the following factors:

• For hunting, organizations have to provide data to the hunters — the quantity and quality of such data are important considerations for a reliable hunt
• What ways organizations use for visualizing and analyzing numerous types of data
• (Read more...)