Why Do You Need a Hunt Team? The Surprising Answer

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

You’ve probably heard this a million times now: “You need a hunt team”. This is true, as far as it goes, but why? For most people, the initial answer is probably something close to this: “So we can find bad guys on our network”. Again, this is true, but would it surprise you to learn that finding the bad guys is probably the least important reason to have a hunt team?

The Big Three Reasons

Although there are probably as many reasons to have a hunt team as there are organizations who have them, I think the three most important reasons are:

-To identify new security incidents

-To improve automated detection

-To drive skills sharing and mentorship within the security team

Let’s look at each of these in more detail.

 

Identifying New Security Incidents

As I mentioned earlier, this is probably the #1 reason any hunting ever gets done. It’s a basic tenet of information security these days that prevention eventually fails, allowing intruders into the network. That’s why we see so much emphasis on detection and response as a backstop. We essentially make it as hard as practical for an intruder to operate in our environment, and then try to look for instances where our protections have failed. If we take this to the next logical step, we’ll see also that detection eventually fails, too. That is, no matter how good they are, we are essentially setting static detection systems to combat agile threat actors. While this can work in the short-term, it’s not good to rely on this as a long-term strategy. 

Instead, we hunt. We define hunting as a process that inherently involves humans in some capacity, posing and testing hypotheses designed to identify new types of security incidents, or existing types that we hope to discover in new ways. This allows us to counter our agile adversaries with agile defenders, leveling the playing field a bit. 

 

Improving Automated Detection

It’s great that we can use threat hunting to find new security incidents, but there’s a problem with that: scale. Humans are great at finding new ways to attack problems but we have difficulty keeping up with the deluge of data coming out of even moderately-sized organizations. Humans just don’t scale to the enterprise. 

Fortunately, there’s a smarter way to both innovate and scale, which is to turn the results of successful hunts into automation. Automating our successful hunts provides two key benefits. First, while human threat hunters may need to try out their techniques on smallish datasets in order to prove that they work, automated versions of those hunts are free to work with much larger piles of data, covering the entire IT environment. Second, once a hunt is automated, the hunt team will rarely have to repeat it, and can thus focus their time on further innovation rather than running the same analysis over and over. 

 

Driving Skills Sharing and Mentorship

So far, the benefits we’ve talked about accrue even if your hunts are done by individuals. However, working as a team cooperating on the same hunt has important benefits that are often overlooked. A well-constructed hunt team will have multiple individuals, each with their own particular set of skills and areas of expertise. Having a wide variety of expertise vastly expands the types of hunts the team will be capable of taking on, but the act of cooperating to carry them out has many practical benefits when it comes to professional development. Learning new skills by collaborating with teammates is a great way to spread the expertise of an individual around to the rest of the team. It also goes a long way towards keeping your team members motivated, sharp and at the top of their game. 

Some organizations are beginning to recognize this, and to structure their hunt teams specifically to take maximum advantage of this impromptu mentorship. Rather than establishing “the hunt team” with dedicated members who just do nothing but hunt all the time, some companies pursue an approach that supplements a small core of dedicated hunters with a rotating roster of analysts from other parts of the security team. This approach works especially well, because it not only allows the team to bring in subject matter experts that relate the current hunt’s topics, but it carries some of the hunting expertise back out into the security team where it can more easily work its way into the fabric of everyday operations. 

Conclusion

I hope that by now I have convinced you that threat hunting is about much more than simply finding security incidents. In fact, identifying unknown adversary activity is actually the least important reason to establish a hunt team. The individual security incidents your team opens in the course of their work may be important, but they are ultimately short term wins. However, the habit of automated detection improvements and the flow of skills between hunters and between parts of the overall security team both have the potential to affect lasting wins across your entire security program.

This post originally appeared on the Sqrrl Blog, here: https://sqrrl.com/why-do-you-need-a-hunt-team-the-answer-may-surprise-you/

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
227 Followers
About Sqrrl
Sqrrl is the Threat Hunting Company that enables organizations to target, hunt, and disrupt advanced cyber threats. Sqrrl’s industry-leading Threat Hunting Platform unites link analysis, User and Entity Behavior Analytics (UEBA), and multi-petabyte scalability capabilities into an integrated solution. Sqrrl’s unique approach enables security analysts to discover threats faster and reduces the time and resources required to investigate them.
Promoted Content
Huntpedia - Your Threat Hunting Knowledge Compendium
This eBook features over a dozen leading experts on Threat Hunting and Incident Response to share their own tactics, techniques, and procedures for finding evil. It is broken down into 13 chapters authored by all your favorite Threat Hunting people such as Richard Bejtlich, Rob Lee, Chris Sanders, David Bianco, Tim Crothers, Danny Akacki, Tyler Hudak, Scott Roberts, Jack Crook, Matthew Hosburgh, Samuel Alonso, Josh Liburdi, Sergio Caltagirone, and Ryan Nolette.Featuring: Richard Bejtlich, Rob Lee, Jack Crook, Chris Sanders, David Bianco, Scott Roberts and more.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel