The concept of threat hunter is increasingly gaining strength within operational security teams. But the great concern of many security managers is: how should I change my structure to have this new team in my operation? To answer this question, I think it is important to understand the role of the Threat Hunter.
Cybersecurity teams have evolved on different fronts, management, technology and operation. Management people have the role of developing the capabilities for the organization to make good decisions regarding cybersecurity, being a subjective issue, the use of risk methodology helps to fulfill this achievement. The technology team is oriented to implement controls and ensure that the controls meet their objective and are effective in their life cycle. Finally we find the operation, who are structured in reactive and preventive fronts to ensure that the organization is antifragile to security incidents.
We have several challenges during the operation:
- Having visibility of any vector on our attack surface.
- Detect in a timely manner any cybersecurity incident that may affect the organization.
- Effectively respond to cybersecurity incidents.
Faced with these challenges, technology supports the operations team in solving them. BigData, Machine Learning and Orchestration and Automation have supported our day-to-day.
But threats also evolve and even having all kinds of tools and capabilities in the security operations centers we have the following risks:
- Do I have all the information sources needed to detect a threat?
- Are my detection models and correlation rules effective over time?
- Does the inclusion of infrastructure or solution changes impact my detection capabilities?
- How effective is my process for ensuring that my detection capabilities are effective in the face of new attack vectors?
These issues lead us to develop new capabilities in our operations teams that help us address these risks in my operation. If you would like us to help you address these risks, please contact us.
You can also see more related information in this link.
Now let's see what tasks the threat hunter has.
- Conduct research against new threats, vulnerabilities and intelligence on various attacker groups and attack infrastructure.
- Proactively perform detection and analysis on existing data sets.
- Make use of BigData tools to identify threats, root causes, scope and severity. To deliver a final analytics product in a report or digest.
- Work with the team to develop skills and expand detection and response capabilities.
- Becoming an interface to support teams in implementing controls and best practices for the improvement of the organization's security posture.
To summarize and manage to answer the question of security managers, the objective of the Threat Hunter is to build knowledge that helps us to make our detection and response processes more effective covering the risks that we presented in the security operation, therefore it should be included as continuous improvement capabilities making use of technological tools such as TIP (Threat Intelligence Platform), Deception, EDR and NDR in order to adjust and support the maturity of our security analytics solutions SIEM and UEBA; and orchestration and automation SOAR.
Want to learn more about the Threat Hunter's role and how it benefits your organization?