In this video definition, David Bianco, a technology advisor at Sqrrl Data Inc., explains the key objectives of threat hunting, its position in the organization and the key ingredients for a successful threat hunting program. Bianco's experience in this emerging cybersecurity field includes helping to create General Electric's intel-driven detection and response program.
(This transcript has been edited for clarity and brevity.)
David Bianco: The purpose of threat hunting in an organization is twofold: First, you find security incidents that our automated systems didn't already find so that you can do something about them -- find out what that attacker has been doing, eject them [and] put things right. But to me, the more important role of threat hunting in an organization follows from that. If you think that the role is to find things that the automated systems did not already detect, then it follows that what you find you can then turn around and use to improve your automated detection. And to me that is the most important role of threat hunting in the organization.
In a big company, things happen and there's no way to keep up with them manually. Automation is certainly critical, but of course automation has gaps. The threat actors are not necessarily bound by automation. They are very robust actors who are creative and usually often well-resourced and the threat actors can be challenging to detect with automated systems. We need those automated systems, however, but these automated systems have to adapt and get better over time. And the way that they adapt is by using the threat hunting to figure out new ways of finding the bad things on your network that you care about and automating those ways.
Exactly where the threat hunting function is deployed in your company really varies from organization to organization. In some, it's part of the general security team. Many companies have a SOC [security operations center) or a fusion center or something similar to that. If that is the case, usually I recommend putting the threat hunting function into that SOC/fusion center organization. That allows them to have really close ties and convenient access to the things that they need. So a lot of times, the security-relevant data that's coming into the organization, the same pool of data that your automated systems are using a lot of times, is the core of what the threat hunters need access to. It allows them to do their jobs better.
It also helps when the threat hunters have been successful and they have a close tie with the incident response team. They've found something [and] now they can easily turn it over to and collaborate with the incident response team in order to do something about it. And finally, when they do have successful hunts, it allows them to work with the detection engineering function to turn their manual or semi-automated techniques into something that can be fully automated and deployed for the next time that activity occurs.
I think it's important to keep in mind that threat hunting basically comes down to three things: It comes down to the data that the hunters have access to; the tooling that they have in order to collect that data from all the places that generated it around the network, bringing it into one place where they can search it and possibly do some data analysis with it; and then those techniques that the hunters have at their disposal to actually perform that data analysis. So data, tools and techniques, combined together, make the foundation for a successful threat hunting program.