How to Create a Threat Hunting Program for Your Business
By Zac Amos, Features Editor, ReHack
When it comes to online security, danger lurks around every corner. A threat hunter’s job is to proactively seek out potential problems and stop them before they have a chance to harm a company’s network. Here’s how businesses can create their own threat hunting programs and why it’s important to do so.
Why Is Threat Hunting Necessary?
Cybercrime is growing exponentially. In 2023, Americans lost $10.3 billion to online schemes — a staggering 49% increase in losses compared to the previous year. Enterprises must stay vigilant to protect themselves and their assets against bad actors. As well as establishing vital cybersecurity measures like implementing two-factor authentication, securing mobile devices and changing passwords regularly, companies should utilize threat hunting to fend off attacks.
A threat hunting program enables faster incident response times. It’s also much easier and cheaper to go threat hunting than to clean up after a security breach. Here’s how to create one for a business.
- Establish a Baseline
Before they can establish a threat hunting program, business owners must gain a solid understanding of what’s typical within their work environment. For example, they should understand the usual employee behavior, activities and network operations that take place within the company. Establishing a baseline for what is and isn’t normal is the first step toward identifying outliers.
- Identify Important Assets
What does the enterprise offer to hackers? What are its most valuable assets a threat actor would want to target? These will differ from one company to another, but they often include aspects like money or client data. Identifying them helps establish why a threat hunting program is necessary and what it should focus on.
- Define Success
The next important step is to define exactly what the program should achieve. What key performance indicators (KPIs) can the business use to measure its success?
An example of a KPI is the number of vulnerabilities — specifically those that could’ve installed malware on the network — the team remediates within a specific timeframe. KPIs should tie directly to the main goal of finding and blocking threats, and should help set the cybersecurity team up for success.
- Select a Threat Hunting Strategy
Not every threat hunting program looks the same. A few common strategies include:
- Using the MITRE framework to decide where to start
- Building a minefield under the assumption that a threat actor is already within a network
- Blocking access entirely by building a wall, ensuring anything related to execution and initial access is blocked
Different strategies address unique needs, so it’s crucial to find the right one for each business.
- Decide Whether to Automate
Although automation isn’t required for threat hunting, many companies — especially those with established, advanced cybersecurity programs — automate part of the process to reduce errors and boost productivity. For businesses that pursue the automation route, it’s crucial to have the right staff to develop and maintain the software. It’s also vital to closely monitor the automation process so it remains relevant.
- Create a Formal Security Operations Center (SOC)
Another important step in building a threat hunting program is establishing an SOC. This process involves:
- Creating a centralized logging system to data collecting logs such as host endpoint alerts, event logs, AD logs, routers and switches
- Setting up an automated detection system — such as IDS or SIEM — if desired
- Acquiring external signature and intel feeds to complement the automated detection system
- Hiring an incident response team to resolve alerts and investigate incidents
- Create Testable Hypotheses
The main feature distinguishing threat hunting from reactive cybersecurity is it’s proactive, not based on alerts. Threat hunters look for problems long before the alarm even sounds. To do this, they build hypotheses and then set about testing them.
For example, a hypothesis could state that if hackers executed a certain type of malware on the company network, very specific evidence would exist to prove the malware is on the system. Essentially, if the malware exists, it will leave a detectable signature.
Threat hunters will then use that theory to run iterative hunting campaigns in their search for malware. They will look for the specific evidence outlined in their hypothesis to try and detect it.
- Think Like a Hacker
Lastly, creating a threat hunting program means thinking in a proactive rather than reactive manner. It entails always looking for vulnerabilities in the enterprise’s network and wondering how best to exploit them.
To sharpen their proactive thinking, threat hunters can use purple teaming for testing. This strategy involves security teams simulating malicious attacks against the organization’s network, then working together to solve them.
Staying Prepared
As cybercrime becomes more prevalent, anticipating it is more important than ever. A good threat hunting program fends off attacks before they even start to protect an organization’s time, money and data. It’s a valuable tool in a company’s arsenal against threat actors — and it will only become more important as time goes on. Hackers may be savvy, but threat hunters are always one step ahead.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.