The Cybersecurity Threat Hunt Process (THP)–The Tactical Piece
What are the Steps to an effective “Hunt Process” at the grassroots level?
A “Hunt Mission Program” is centered around four areas specific to an modestly parallel to the Intelligence Community’s”Intelligence Lifecycle.” The Cybersecurity Threat Intelligence (CTI) and Hunt Team analysts will work cooperatively throughout the THP Methodology. Incident Response (IR) personnel may also play a role and will act as approval of any current or continued action against any known or suspected occurrence, event, or defined incident.
An effective Hunt Mission Program relies upon the following four areas:
- Designate
- Acquire
- Analyze
- Federalize
PureVPN
Get 74% OFF | 2-Year Plan for Just $2.88/mo!
The THP Methodology begins with defining the boundaries that need to be identified as part of hunt activities. Designate identifies all IT hardware, software, network assets, etc., that likely are directly affected by known or suspected malicious activities.
Without a clear understanding of boundaries, analytic resources may be inadvertently diverted or distracted by not defining the scope of the effort.
Acquire is identical to the collection phase of the Intelligence Lifecycle. In this phase CTI analysts conduct technical scans of the targeted IT environment to determine malicious activities. Varied scans are used to detect unauthorized port access, identify types of injected malware, use Indicators of Compromise (IOC) databases to determine potential threats, etc. Acquire gathers all relevant data and facts around an event or incident for the purposes of organizational action and IR alerts to senior and government officials as required by policy or law.
In the Analyze phase, Hunt team members, in close coordination with CTI personnel, determine the who, what, where, etc., factors in order to identify attribution of the attack and whether the attack rises to the level of a reportable event or incident.
ALSO SEE THE POST:
Analyze is a continual process that develops intelligence reports and offers predictive intelligence to the organization and third-party cooperative businesses or agency members. Analyze provides critical (immediate), short-term (within 24 hours), and long-term (typically monthly) analytical reports to members of both the technical and non-technical personnel of the organization; this phase is identical within the Intelligence Lifecycle.
Finally, Federalize identifies impacts to the IT environment, and supports resourcing identification and demands where senior leaders must play a decisive role. Federalize also ensures the quality review of reporting and ensures its timely dissemination throughout the organization. Senior leaders are accountable to ensuring critical intelligence identification and communications are timely to reduce especially malicious activities against the company or agency’s infrastructure.
This is a continuing process as suspected malicious activity is identified, confirmed by the hunt analysts, and remediated at the direction of the IR team. Hunt provides an active measure more typical to medium to large companies and federal and state agencies with the appropriate resources. It is an active and coordinated effort between the Incident Response (IR) and the CTI team. It is not OFFENSIVE.
It confirms whether an occurrence becomes an event; based upon additional and available intelligence, an event may or may not be raised to a defined incident.
Based on the book:
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.
