Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

[As presented at the SANS Threat Hunting & Incident Response Summit 2019]

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

49d635b47da1fee5d0972745390e0633?s=128

David J. Bianco

September 30, 2019
Tweet

Transcript

  1. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @CoolestCatiKnow
  2. About Us Enterprise detection & response specialist Threat Hunting researcher

    Threat Hunter Former Red Team Engineer Well-rounded Nerd (slightly biased)
  3. It All Started When… I’d like you to take our

    Threat Hunting program to the next level.
  4. And Then the Meetings Started! Strategic Leadership Team Leaders Tactical

    Operations Round Tables
  5. Our “Next Level” Opportunities Operational Consistency Hunt Topic Strategy Program

    Focus
  6. The Hunting Focus Had Drifted Identifying Incidents & Gaps Skills

    Development & Transfer
  7. So We Refocused on Automation Source: http://bit.ly/HuntingMaturityModel Graphic: Sqrrl

  8. 10lbs of Hunting in a 5 Day Bag Day 1

    • Data Collection • Participant Prep • Format Data Day 2-4 • Format Data • Hunt • Submit findings Day 5 • Findings Follow up
  9. None
  10. So We Got Help With the Bags Hunt Team Members

    Hunter 1 Hunter 2 Hunter 3 Week Hunt Week Hunt Week Hunt Week Hunt
  11. Scheduling Wasn’t Working

  12. We Start by Prioritizing Topics We look at each topic

    through three lenses: • Usage by tracked threat actors • Risk by Impact & Likelihood • Strength of Existing Detection
  13. Then We Handcraft Our Brew Sprint Special Requests Priority Score

    Sprint Theme
  14. In the End, it Looks Like... Collect Hunt Ideas CTI

    & Detection Contribution Hunt Team Grooming Set Sprint Themes Sprint Topic Selection
  15. Takeaways Strategy Preparation & Documentation Full-Time Threat Hunters

  16. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @coolestcatiknow