Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving the Hunt: A Case Study in Improving a ...

David J. Bianco
September 30, 2019
Technology
0
970

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

[As presented at the SANS Threat Hunting & Incident Response Summit 2019]

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

David J. Bianco

September 30, 2019
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
39
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
190
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
63
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
290
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
390
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
270
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
AIチャットボット開発への生成AI活用
ryomrt
0
170
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
B2B SaaS × AI機能開発 〜テナント分離のパターン解説〜 / B2B SaaS x AI function development - Explanation of tenant separation pattern
oztick139
2
220
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Designing Experiences People Love
moore
138
23k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Code Review Best Practice
trishagee
64
17k
The Pragmatic Product Professional
lauravandoore
31
6.3k
For a Future-Friendly Web
brad_frost
175
9.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
KATA
mclloyd
29
14k
Practical Orchestrator
shlominoach
186
10k
How to train your dragon (web standard)
notwaldorf
88
5.7k

Transcript

  1. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @CoolestCatiKnow

  2. About Us Enterprise detection & response specialist Threat Hunting researcher

    Threat Hunter Former Red Team Engineer Well-rounded Nerd (slightly biased)

  3. It All Started When… I’d like you to take our

    Threat Hunting program to the next level.

  4. And Then the Meetings Started! Strategic Leadership Team Leaders Tactical

    Operations Round Tables

  5. Our “Next Level” Opportunities Operational Consistency Hunt Topic Strategy Program

    Focus

  6. The Hunting Focus Had Drifted Identifying Incidents & Gaps Skills

    Development & Transfer

  7. So We Refocused on Automation Source: http://bit.ly/HuntingMaturityModel Graphic: Sqrrl

  8. 10lbs of Hunting in a 5 Day Bag Day 1

    • Data Collection • Participant Prep • Format Data Day 2-4 • Format Data • Hunt • Submit findings Day 5 • Findings Follow up
  9. None

  10. So We Got Help With the Bags Hunt Team Members

    Hunter 1 Hunter 2 Hunter 3 Week Hunt Week Hunt Week Hunt Week Hunt

  11. Scheduling Wasn’t Working

  12. We Start by Prioritizing Topics We look at each topic

    through three lenses: • Usage by tracked threat actors • Risk by Impact & Likelihood • Strength of Existing Detection

  13. Then We Handcraft Our Brew Sprint Special Requests Priority Score

    Sprint Theme

  14. In the End, it Looks Like... Collect Hunt Ideas CTI

    & Detection Contribution Hunt Team Grooming Set Sprint Themes Sprint Topic Selection

  15. Takeaways Strategy Preparation & Documentation Full-Time Threat Hunters

  16. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @coolestcatiknow