Guidance for Launching a Threat Hunting Program

April 28, 2022 | By IANS Faculty

Today’s organizations have a lot on their hands when it comes to defending their environments against attack. Cyber risk crosses several dimensions, and most organizations today struggle to be proactive in their incident response efforts. 

Enter threat hunting, the ultimate proactive strategy for finding the hidden threats lurking on enterprise systems. Launching a threat hunting program starts with some basic organizational and security fundamentals, but it ultimately requires a mature security program, which entails the following: 

  • Security staffers who are curious, intuitive and have a solid understanding of IT security and the threat landscape. Staffers must also have enough time, outside their regular tasks, to devote to threat hunting. 
  • Tools and technology platforms that enable threat hunting detection, investigations, monitoring and management. 
  • A clear picture of what “normal” is. This means the program must be able to baseline network traffic and end-user and system behavior, as well as understand expected and authorized events from which to identify issues.  

This piece helps you understand where your security program sits on the maturity curve and whether it is at the stage to launch a threat hunting program. It aims to help you gauge your security posture and provide strategic steps to push everything up a notch and become more proactive in your defense tactics. 

Access Security Maturity for Threat Hunting 

Most security programs fall into one of four stages, starting with the basics and gradually increasing in security sophistication. Each stage is discussed in more detail below.  When organizations are at Stages 1 and 2, they do not yet have the people, processes and tools required to spin up a threat hunting program. By Stage 3, they have the bare necessities to start planning a threat hunting practice and by Stage 4, the security program is mature enough to support threat hunting in addition to its other security responsibilities. 

Stage 1: Vulnerable 

Organizations with security programs at Stage 1 are only equipped with the basic procedures for eliminating threats. For example, Stage 1 organizations have no process to see threats at the endpoint. They use only signature-based tools (like AV and IDS) to detect and stop known malware, and malware not stopped by the signature-based approach often ends up negatively impacting the performance of the IT infrastructure. 

In most cases, the program’s only response to such attacks is to re-image the machine. Root-cause analysis is seldom if ever conducted. At Stage 1, most tools and processes are not integrated. Instead, only siloed solutions are used to handle threats. 

READ: Setting Up a Successful Vulnerability Management Program

Stage 2: Reduced Risk 

At Stage 2, organizations improve their processes and tooling. For example, they go beyond simple AV and can poll and scan networks and endpoints to see/identify threats. At Stage 3, security programs tend to deploy more preventive measures. For example, they: 

  • Remove admin rights for all endpoints and end users, so that only the specific admins/IT personnel who need those rights have them.  
  • Perform basic allow-listing of applications and services, and use IP reputation databases to block sites known for disseminating malware or running command-and-control channels.  
  • Limit the sites and applications vendors and contractors can access.  
  • Deploy more comprehensive tools, such as endpoint detection and response. 

At this stage, the program responds to incidents by performing manual root-cause and scope analysis to find out which areas of the IT infrastructure have been affected by an attack. They are able to pinpoint and remove malware, and then conduct post-mortem forensic operations to ensure they know how to successfully protect the IT system the next time it faces a similar attack. 

At this stage, tools and processes are somewhat integrated, with a few rolling up alerts and logs to a centralized SIEM platform. 

Stage 3: Strong Posture   

At Stage 3, security organizations are able to set up real-time visibility and continuous reporting, usually using simple indicators and single-source threat intelligence. 

They tend to segment their environments, using VLANS, or in some cases, host-based firewalls. Automated root-cause and scope analysis are performed in response to the threats, and the data is correlated with the system security. In addition, SIEMs and other threat-managing software are fully integrated into the IT infrastructure.  

The organization has the tools, processes and visibility to begin planning a threat hunting program, at this point, but launching the program should wait until the next stage, when it has the expertise, staffing and resources to fully support it. 

Stage 4: Mature – Ready to Threat Hunt 

Stage 4 mature security groups have real-time visibility and continuous reporting of endpoint and network security state. Using aggregated, multi-vendor threat intel, Stage 4 organizations have the ability to detect the behaviors and patterns of threats, and threat intelligence is fully integrated into all available events and incidents. 

Within Stage 4, threats are prevented by policy-based default-deny and customizable prevention forms/types. The immediate response to a threat is to disrupt and contain the attack, and then use automated remediation. Some system integrations are customized via open APIs. 

Security Maturity for Threat Hunting   

Once your security posture has matured to Stage 4, then a robust threat hunting program can be initiated. To successfully pair the organization’s IT infrastructure with a tailored threat hunting program your security strategy must: 

  • Focus on improving risk visibility of your systems and endpoints.  
  • Adopt better processes for detecting, preventing and responding to risks and cyberattacks. 
  • Integrate comprehensive threat tools and technology to improve alerts, monitoring, data management and APIs. 
  • Boost your security team’s skills with constant high-quality cybersecurity training to help staff advance levels of both security and threat hunting knowledge. 
  • Update and document all required processes for maintaining high system security. 
  • Adopt the latest, best system security strategies, and routinely update for consistent security improvements. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.