Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

David J. Bianco
September 30, 2019
Technology
0
940

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program

[As presented at the SANS Threat Hunting & Incident Response Summit 2019]

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

David J. Bianco

September 30, 2019
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
20
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
37
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
230
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
ServiceNow Knowledge Learning Rise up
manarobot
0
210
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
120
開発パフォーマンスを最大化するための開発体制
ham0215
2
340
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
170
競技としてのKaggle、役に立つKaggle
yu4u
3
430
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
1
210
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
490
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
180
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
890
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
In The Pink: A Labor of Love
frogandcode
138
21k
Atom: Resistance is Futile
akmur
259
25k
Automating Front-end Workflow
addyosmani
1356
200k
The Pragmatic Product Professional
lauravandoore
25
5.8k
What's in a price? How to price your products and services
michaelherold
237
11k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Web Components: a chance to create the future
zenorocha
305
41k
Gamification - CAS2011
davidbonilla
76
4.6k
A better future with KSS
kneath
231
16k
Designing Experiences People Love
moore
136
23k

Transcript

  1. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @CoolestCatiKnow

  2. About Us Enterprise detection & response specialist Threat Hunting researcher

    Threat Hunter Former Red Team Engineer Well-rounded Nerd (slightly biased)

  3. It All Started When… I’d like you to take our

    Threat Hunting program to the next level.

  4. And Then the Meetings Started! Strategic Leadership Team Leaders Tactical

    Operations Round Tables

  5. Our “Next Level” Opportunities Operational Consistency Hunt Topic Strategy Program

    Focus

  6. The Hunting Focus Had Drifted Identifying Incidents & Gaps Skills

    Development & Transfer

  7. So We Refocused on Automation Source: http://bit.ly/HuntingMaturityModel Graphic: Sqrrl

  8. 10lbs of Hunting in a 5 Day Bag Day 1

    • Data Collection • Participant Prep • Format Data Day 2-4 • Format Data • Hunt • Submit findings Day 5 • Findings Follow up
  9. None

  10. So We Got Help With the Bags Hunt Team Members

    Hunter 1 Hunter 2 Hunter 3 Week Hunt Week Hunt Week Hunt Week Hunt

  11. Scheduling Wasn’t Working

  12. We Start by Prioritizing Topics We look at each topic

    through three lenses: • Usage by tracked threat actors • Risk by Impact & Likelihood • Strength of Existing Detection

  13. Then We Handcraft Our Brew Sprint Special Requests Priority Score

    Sprint Theme

  14. In the End, it Looks Like... Collect Hunt Ideas CTI

    & Detection Contribution Hunt Team Grooming Set Sprint Themes Sprint Topic Selection

  15. Takeaways Strategy Preparation & Documentation Full-Time Threat Hunters

  16. Evolving the Hunt David J. Bianco Hunt Strategist @DavidJBianco Cat

    Self Lead Threat Hunter @coolestcatiknow