$30 off During Our Annual Pro Sale. View Details »

Things that Make You go HMM: Using a Simple Hunting Maturity Model to Establish and Improve Your Threat Hunting Program

David J. Bianco
June 13, 2017
Technology
0
1.3k

Things that Make You go HMM: Using a Simple Hunting Maturity Model to Establish and Improve Your Threat Hunting Program

A CISO that's heard that her organization needs to "get a hunt team" may legitimately be convinced that an active detection strategy is the right move, and yet still be confused about how to describe what the team's capability should actually be.
Organizations who are already doing some sort of hunting may be able to describe their current capabilities yet wonder “Where do we go from here?”

This talk first presents a simple Hunting Maturity Model (HMM), discussing the key characteristics and capabilities at each maturity level. Next, we use this model to show an appropriate maturity goal for a brand new capability, and then examine step-by-step what it takes to transition to each of the next levels. We’ll clear up the initial confusion about getting started and offer a roadmap for improvement. At the end of this presentation, attendees will understand what hunting is, what a good hunting capability looks like, and how to move from where they are to where they want to be.

David J. Bianco

June 13, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
25
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
200
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260

Other Decks in Technology

See All in Technology
KarateによるBDDベースのAPIテスト / BDD based API-Testing with Karate
takanorig
1
190
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
300
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
130
Notionへのデータ移行を成功させる5つのポイント - NIFTY Tech Day 2023
niftycorp
0
140
Kamuee: A Pure-Software-Approach Router
nttcom
0
150
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
11
1.5k
隙間家具OSS開発で『自分の庭』をつくる / kayac-andpad-event
fujiwara3
0
400
開発チーム横断タスクフォース 「Goサブ会」の 運用事例と今後の展望
stefafafan
0
130
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
330
合宿はいいぞ / Training camp is so good.
okamototakuyasr2
0
110
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
190
go-ldap Contribution
kazamori
0
120

Featured

See All Featured
Designing with Data
zakiwarfel
93
4.6k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
Typedesign – Prime Four
hannesfritz
35
1.8k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Statistics for Hackers
jakevdp
788
220k
Product Roadmaps are Hard
iamctodd
43
9.1k
Into the Great Unknown - MozCon
thekraken
7
660
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Building Applications with DynamoDB
mza
87
5.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.3k
Bash Introduction
62gerente
603
210k

Transcript

  1. View Slide

  2. https://www.sans.org/reading-room/whitepapers/analyst/hunter-strikes-back-2017-threat-hunting-survey-37760

    View Slide



  3. THE COLLECTIVE NAME FOR ANY MANUAL OR
    MACHINE-ASSISTED TECHNIQUES DESIGNED TO
    IDENTIFY SECURITY INCIDENTS [THAT
    AUTOMATED SOLUTIONS MISSED].
    KEY TAKEAWAY:
    COROLLARY:

    View Slide

  4. HMM0
    Initial
    •Relies
    primarily on
    automated
    alerting
    •Little or no
    routine data
    collection
    HMM1
    Minimal
    •Incorporates
    threat
    intelligence
    indicator
    searches
    •Moderate or
    high level of
    routine data
    collections
    HMM2
    Procedural
    •Follows data
    analysis
    procedures
    created by
    others
    •High or very
    high level of
    routine data
    collection
    HMM3
    Innovative
    •Creates new
    data analysis
    procedures
    •High or very
    high level of
    routine data
    collection
    HMM4
    Leading
    •Automates
    the majority
    of successful
    data analysis
    procedures
    •High or very
    high level of
    routine data
    collection
    http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html

    View Slide

  5. 0
    1
    2
    3
    4
    5
    6
    HMM0 HMM1 HMM2 HMM3 HMM4
    Factor Maturity by HMM Level
    Data Analyst Skill
    • DATA
    • SKILLSET
    HMM = min(HMMdata
    , HMMskills
    )

    View Slide

  6. HMM0
    Initial
    •Relies primarily
    on automated
    alerting
    •Little or no
    routine data
    collection
    HMM0 orgs focus on alerts.
    They may incorporate IDS/SIEM rule feeds or
    vendor detection updates, but are primarily
    reactive.
    They often collect very little additional data
    beyond what is required to drive the alerting.
    Analyst access to the data may or may not be
    easy & quick.
    Detection is totally automated, and priorities
    often driven by outside forces (vendors or ruleset
    providers).

    View Slide

  7. HMM1
    Minimal
    •Incorporates
    threat
    intelligence
    indicator
    searches
    •Moderate or
    high level of
    routine data
    collections
    HMM1 orgs focus on searching for IOCs.
    Automated indicator matching (technically
    HMM0), plus manual searches for indicators from
    vendor reports or other sources.
    May collect a significant amount of data, since
    you never know where those IOCs will show up.
    Usually offers quick, convenient search platform.
    Most common HMM level right now.
    Technically proactive, therefore the first level
    where true hunting occurs.

    View Slide

  8. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
    HMM0 Automated
    indicator matching
    HMM1 IOC Search
    HMM2+

    View Slide

  9. HMM2
    Procedural
    •Follows data
    analysis
    procedures
    created by
    others
    •High or very
    high level of
    routine data
    collection
    HMM2 orgs collect hunting procedures from
    external sources.
    Enterprise visibility is a priority, therefore collecting
    lots of data for hunting.
    Often has an organizational hunting strategy,
    backed up by hunts collected from peers,
    conference presentations, blogs or other sources
    (ThreatHunting.net).
    Hunters adapt recipies to their environment and
    interpret results.
    The most appropriate first goal for many orgs.

    View Slide

  10. HMM3
    Innovative
    •Creates new
    data analysis
    procedures
    •High or very
    high level of
    routine data
    collection
    HMM3 orgs create their own hunts.
    Very high level of data collection, giving hunters
    a wide variety of choice in what to hunt and
    where they can pivot.
    May begin to incorporate data science, machine
    learning or other advanced analysis disciplines.
    Often the source of published hunts used by
    HMM2 orgs.
    I’d like to see these orgs to publish more!

    View Slide

  11. HMM4
    Leading
    •Automates
    the majority of
    successful
    data analysis
    procedures
    •High or very
    high level of
    routine data
    collection
    HMM4 orgs automate successes.
    Most hunting orgs operate at a scale that makes
    manual processes impractical for detection.
    Automation is critical for defensible networks.
    Suitable automation (or semi-automation) may
    include:
    • Signatures (!!)
    • Analytics which create alerts
    • Dashboards & reports
    • Risk/reputation scoring
    Hunting is the engine which drives improvements
    to the automated processes.

    View Slide

  12. There’s no single starting point that works for
    everyone.
    The HMM is your map.
    Figure out where you already are, then
    make a plan to get to the next level.
    There’s no rush! Feel free to get off the bus
    for a while and hop back on later.
    Each level is a victory. Celebrate your
    successes along the way!

    View Slide

  13. Current State
    Consumes both feeds and relevant
    intel reports for detection and
    response.
    Good perimeter visibility:
    • Netflow or equivalent
    • HTTP proxy logs
    • DMZ/exposed server process
    creation logs
    Easy access to collected data via ELK.
    HMM1
    Level Up
    Set hunting/detection priorities. Find
    relevant hunts via ThreatHunting.net or
    other sources.
    Expand visibility to support priorities:
    • More endpoint monitoring on
    infrastructure and key assets
    • Deploy internal NSM sensors
    Establish hunting function with regular
    rhythm.
    HMM2

    View Slide

  14. Current State
    Regular hunting with established
    playbooks.
    Extensive internal and perimeter
    visibility, both network and endpoint.
    Starting to come up with custom
    detection requirements.
    HMM2
    Level Up
    Modify/extend existing hunts to cover
    additional detection requirements.
    Mix & match familiar analysis
    techniques to create new hunts.
    Train hunters for analysis and/or partner
    with data scientists.
    HMM3

    View Slide



  15. @DAVIDJBIANCO
    THREATHUNTING.NET
    DETECT-RESPOND.BLOGSPOT.COM

    View Slide