InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Today’s organizations have a lot on their hands when it comes to defending their environments against attack. Cyber risk crosses several dimensions, and most organizations today struggle to be proactive in their incident response efforts.
Enter threat hunting, the ultimate proactive strategy for finding the hidden threats lurking on enterprise systems. Launching a threat hunting program starts with some basic organizational and security
fundamentals, but it ultimately requires a mature security program, which entails the following:
This piece helps you understand where your security program sits on the maturity curve and whether it is at the stage to launch a threat hunting program. It aims to help you gauge your security posture and provide strategic steps to push everything up
a notch and become more proactive in your defense tactics.
Most security programs fall into one of four stages, starting with the basics and gradually increasing in security sophistication. Each stage is discussed in more detail below. When organizations are at Stages 1 and 2, they do not yet have the people,
processes and tools required to spin up a threat hunting program. By Stage 3, they have the bare necessities to start planning a threat hunting practice and by Stage 4, the security program is mature enough to support threat hunting in addition to
its other security responsibilities.
Organizations with security programs at Stage 1 are only equipped with the basic procedures for eliminating threats. For example, Stage 1 organizations have no process to see threats at the endpoint. They use only signature-based tools (like AV and IDS)
to detect and stop known malware, and malware not stopped by the signature-based approach often ends up negatively impacting the performance of the IT infrastructure.
In most cases, the program’s only response to such attacks is to re-image the machine. Root-cause analysis is seldom if ever conducted. At Stage 1, most tools and processes are not integrated. Instead, only siloed solutions are used to handle threats.
READ: Setting Up a Successful Vulnerability Management Program
At Stage 2, organizations improve their processes and tooling. For example, they go beyond simple AV and can poll and scan networks and endpoints to see/identify threats. At Stage 3, security programs tend to deploy more preventive measures. For example,
At this stage, the program responds to incidents by performing manual root-cause and scope analysis to find out which areas of the IT infrastructure have been affected by an attack. They are able to pinpoint and remove malware, and then conduct post-mortem
forensic operations to ensure they know how to successfully protect the IT system the next time it faces a similar attack.
At this stage, tools and processes are somewhat integrated, with a few rolling up alerts and logs to a centralized SIEM platform.
At Stage 3, security organizations are able to set up real-time visibility and continuous reporting, usually using simple indicators and single-source threat intelligence.
They tend to segment their environments, using VLANS, or in some cases, host-based firewalls. Automated root-cause and scope analysis are performed in response to the threats, and the data is correlated with the system security. In addition, SIEMs and
other threat-managing software are fully integrated into the IT infrastructure.
The organization has the tools, processes and visibility to begin planning a threat hunting program, at this point, but launching the program should wait until the next stage, when it has the expertise, staffing and resources to fully support it.
Stage 4 mature security groups have real-time visibility and continuous reporting of endpoint and network security state. Using aggregated, multi-vendor threat intel, Stage 4 organizations have the ability to detect the behaviors and patterns of threats,
and threat intelligence is fully integrated into all available events and incidents.
Within Stage 4, threats are prevented by policy-based default-deny and customizable prevention forms/types. The immediate response to a threat is to disrupt and contain the attack, and then use automated remediation. Some system integrations are customized
via open APIs.
Once your security posture has matured to Stage 4, then a robust threat hunting program can be initiated. To successfully pair the organization’s IT infrastructure with a tailored threat
hunting program your security strategy must:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.