Building a threat hunting team requires finding people who are prepared to be inquisitive of data, are keen to be the first to find a threat and having the right culture for them to work in.
Speaking at Bsides Belfast 2019, Martin Lee, outreach manager and Technical Lead at Cisco Talos, said that the team at Talos “work on analyzing the intelligence we have got, spot what is different and understand it, and as there is no manual on how to manage and function a threat research and intelligence team, the research team has grown organically.
He said that there is a common belief that threat hunting involves “putting data in and mixing it with tools using SIEM, and using procedures to find threats,” when threat hunting should be thought of as a “stack of technology” where you do not need a “secret store of data that only you can access.”
Lee added: “We look for the most significant new threat on the internet, and see our role as to protect the entire internet. We want to hunt down and find the bad guys and be the first people to protect customers and inform the community.”
A lot of threat hunting “is classic engineering,” as if you put processes in at the beginning and follow them, you will come to a predicable end with a clean answer, and Lee called that “the holy grail” situation. In most cases, threat hunting involves looking through indicators of compromise and comparable data, and the resolution is affected by attackers using different domains, different IP addresses and different data.
Lee also said that when there is a successful effort at threat hunting, this can be turned into an automated process.
“We find bad guys, find them first and hunt them down on the internet,” he said. “We have a strong sense of mission and a high degree of success as people want to hunt and encourage each other to keep going, it is not a job, but a lifestyle.”
Lee also said that very little of threat hunting is the common perception of “get a SIEM and go on the dark web” as a SIEM shows the analyst one view, which makes it difficult to ask different and innovative questions of the data.
As for the dark web, he acknowledged that there is malicious activity in the dark web “as you can find bad guys discussing [things] before they happen,” but the set of things that happen versus things discussed on the dark web often means “a lot of it can just be noise and people discussing things that may not happen.”
He said that “more important than tooling is people with skills” who will thrive in the right culture as you “can kill people with tooling if you have the wrong culture.” Also, you need to have some idea of what you want to find, and if you have no idea what you are looking for, you will never find it.
Lee recommended building a strategy on what you’re hoping to find and what you would like to find, and decide what you would do with it and how to improve the goals of an organization. Also, use tools that allow you to ask questions of data easily, and hire people who are curious of things “and get to the root cause of what is going on.”