As we explained in what security teams need to know about threat hunting, threat hunting is a complex and resource-intensive process.
How can you streamline this process, so it becomes feasible to conduct it on a large enough scale to meet your needs? Automation and cutting-edge cyberthreat intel tools can make a powerful difference, but taking a well-organized, structured approach to threat hunting is also essential. That begins even before you start planning for a specific threat hunt when you gather the information, you need to decide which threats to investigate and in what order.
With that in mind, here are four steps that can help you create a threat-hunting roadmap reflecting your cybersecurity priorities:
1. Take stock of your critical information assets
The first information you’ll need when planning a threat hunt is likely to be an inventory of your critical information assets. In order to make sure your threat hunt is effective and efficient, you’ll want to perform a cyber threat analysis by assessing relevant data you have, where it is, who can access it, and which safeguards protect it.
In reality, many companies and organizations carry out threat hunts without following these threat-hunting steps and taking a full inventory of their information assets. It is well worth your time to gather as much of this information upfront as possible. The more complete your inventory is before you start, the faster and more complete your threat hunt will be.
An ideal inventory should cover all of your critical data and provide the following details (or as many of them as possible):
Physical and logical topologies.
Network device information (make, model, OS version, and configuration).
Security control information (make, model, OS version, and configuration).
Host information (make, model, hardware configuration, and OS version and configuration – as well as the names, versions, and configurations of any applications on that host).
Pan-host/pan-infrastructure information for hypervisors, content management systems, data interchange systems, etc. (including versions, security controls, and access lists).
Data flow between apps and hosts for business solutions.
Access controls for all of the above.
Access lists for all of the above.
Locations, types, and formats of logs for all of the above.
Primary points of contact for all of the above. (This likely encompasses multiple service providers in today's cloud-centric world.)
2. Rank your most critical assets in order of importance
After you’ve created an inventory of your information assets, your next step is determining which of them is most important to protect through threat hunting. A large and well-funded organization typically does this in a risk assessment or by a risk management program.
Which assets are most important to protect? The answer varies widely from organization to organization, based on specific needs, goals, and threats. For example, one company may be most concerned with its financial accounts, while another may be more focused on protecting its intellectual property.
3. Identify the most urgent threats to your organization
In addition to knowing which data assets you need to protect, developing a threat-hunting roadmap requires you to know what threats are out there that may impact your organization. You can get a snapshot of the latest and most urgent threats to watch out for by relying on a cyberthreat intelligence feed such as Cybersixgill’s Darkfeed, which automatically provides real-time updates on threats identified on the deep and dark web. This feed can also be used with auto-block rules, enabling you to automatically protect yourself against obvious threats in real-time, without relying on a threat-hunting or IT team.
If you have enough cybersecurity resources to support a threat-hunting team, then an investigative research portal is likely a worthwhile investment. With a solution such as Cybersixgill’s Investigative Portal, you can take a highly tailored approach to both searchings for threats and setting up automatic alerts, based on your industry’s threat landscape and the most critical assets listed in your inventory.
4. Put it all together
Once you know what your key information assets are, which of them are most critical, and what threat activity you need to watch out for, you’re ready for an analyst to create a roadmap of the most urgent threats to investigate. They should generate a list of priority intelligence requirements (PIRs) – a set of specific questions about potential cyberthreats that should guide your threat-hunting program.
Your list of PIRs should outline which specific risks you want to investigate and in what order. This step should allow you to synthesize all the information your team has gathered and use it to ensure that your threat-hunting roadmap reflects your cybersecurity priorities.
After you’ve created your roadmap
Once you have gathered the necessary information, asked the right questions, and prioritized them as this post has explained, you will be ready to start planning (and executing) a specific threat hunt.
What do those next planning and execution steps entail? For a fuller picture of how to plan, organize, and carry out an effective threat hunt, download our latest guide, Threat Hunting for Effective Cybersecurity: How to Protect Critical Assets Through Systematic, Proactive Threat Intelligence.