Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

[As presented at the SANS Threat Hunting & Incident Response Summit 2019]

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

David J. Bianco

September 30, 2019
Tweet

More Decks by David J. Bianco

Other Decks in Technology

Transcript

  1. Evolving the Hunt
    David J. Bianco
    Hunt Strategist
    @DavidJBianco
    Cat Self
    Lead Threat Hunter
    @CoolestCatiKnow

    View Slide

  2. About Us
    Enterprise detection & response
    specialist
    Threat Hunting researcher
    Threat Hunter
    Former Red Team Engineer
    Well-rounded Nerd (slightly biased)

    View Slide

  3. It All Started When…
    I’d like you to take our
    Threat Hunting program
    to the next level.

    View Slide

  4. And Then the Meetings Started!
    Strategic
    Leadership
    Team
    Leaders
    Tactical
    Operations
    Round
    Tables

    View Slide

  5. Our “Next Level” Opportunities
    Operational Consistency
    Hunt Topic Strategy
    Program Focus

    View Slide

  6. The Hunting Focus Had Drifted
    Identifying
    Incidents &
    Gaps
    Skills
    Development
    & Transfer

    View Slide

  7. So We Refocused on Automation
    Source: http://bit.ly/HuntingMaturityModel
    Graphic: Sqrrl

    View Slide

  8. 10lbs of Hunting in a 5 Day Bag
    Day 1
    • Data Collection
    • Participant Prep
    • Format Data
    Day 2-4
    • Format Data
    • Hunt
    • Submit findings
    Day 5
    • Findings Follow up

    View Slide

  9. View Slide

  10. So We Got Help With the Bags
    Hunt
    Team
    Members
    Hunter 1
    Hunter 2
    Hunter 3
    Week
    Hunt
    Week
    Hunt
    Week
    Hunt
    Week
    Hunt

    View Slide

  11. Scheduling Wasn’t Working

    View Slide

  12. We Start by Prioritizing Topics
    We look at each topic through three
    lenses:
    • Usage by tracked threat actors
    • Risk by Impact & Likelihood
    • Strength of Existing Detection

    View Slide

  13. Then We Handcraft Our Brew
    Sprint
    Special
    Requests
    Priority
    Score
    Sprint
    Theme

    View Slide

  14. In the End, it Looks Like...
    Collect Hunt
    Ideas
    CTI & Detection
    Contribution
    Hunt Team
    Grooming
    Set Sprint
    Themes
    Sprint Topic
    Selection

    View Slide

  15. Takeaways
    Strategy
    Preparation &
    Documentation
    Full-Time Threat
    Hunters

    View Slide

  16. Evolving the Hunt
    David J. Bianco
    Hunt Strategist
    @DavidJBianco
    Cat Self
    Lead Threat Hunter
    @coolestcatiknow

    View Slide