Introduction to the Series
In this four part series we’ll be looking at Team Cymru’s Threat Hunting Maturity Model. Its purpose is to define each step of the journey that organizations take to hire, empower and gain value from an elite threat hunting team.
This series is aimed at those who may not be deeply familiar with threat intelligence lifecycles and how and where threat hunting specifically fits. For some, many years of dedication has created some highly talented skills to map, trace, and track threat actors beyond the network perimeter, but for many, the path is unknown or unclear as to where threat hunting adds value within a cyber security strategy.
To go from reactive threat hunting, to proactive threat hunting and ultimately external threat hunting is a journey.
Cyber threat intelligence, being described by Forrester in their report here as ‘immature’, does at first seem at odds with the perception of those practitioners who have experience using, integrating, and relying on this vital feed of information.
However, when the organizational challenges and product limitations are laid out, it becomes clear there is much for cyber threat intelligence providers still to achieve in order to bring more value to practitioners, and enable senior stakeholders to understand what those values are.
The inability to mature stems from poor tooling and a high volume of alerts restricting a potentially elite team from playing a more strategic role in the organization. This impacts their ability to create optimal workflows, increases operational costs, and makes it difficult for senior stakeholders to see value.
Let’s look at the threat intelligence lifecycle, widely recognized as five distinct stages, each has obstacles and challenges. If we look through the lens of a budget owner and senior stakeholder, it’s not straightforward. Each of these need working through in the first phase of the Threat Hunting Maturity Model.
Cyber Threat Intelligence Lifecycle
Planning & Direction
For a market defined as immature, it is ironic that choice is a challenge when deciding on a commercial provider for threat intelligence. Our own Financial Study revealed our customer was using 15 simultaneously. One of the most common frustrations our customers have with threat intelligence providers is the decay in relevance and usefulness of the data itself. The other key consideration is how well (or not) the data has been curated, and to what extent. If you need industry-specific knowledge for threats unique to your sector, there’s likely to be a source, but you may need several to gain a more complete picture.
Gaps will occur across multiple feeds, which is not surprising when cyber threat intelligence is a collection of human intelligence, imagery, electronic sources, intercepted signals, or publicly available sources (OSINT). What sets each apart will be levels of visibility for its specific use case, and how well it empowers the team and ultimately integrates into various processing platforms and data tools.
At this stage data is processed into a comprehensible form. The data forms can require translating spoken languages into something native, processing various data types and formats, and decrypting where and when necessary. Again, the phrase ‘immature’ seems at odds with whole industries powering this stage alone. Security Information And Event Management (SIEM) solutions are effective at processing data, but only for specific formats that they support, and the ROI has eroded. This has led to disillusionment among senior stakeholders as highlighted in this article The industry is now evaluating machine learning and natural language Processing as a way to scale threat intelligence processing.
Analysis and Production
Threat analysts at this stage in the cyber intelligence lifecycle now start their human intensive processes. This is a highly skilled art, and at this point, machines typically perform badly at these tasks. Outcomes include reports that must be easily consumed by senior management, stakeholders and executives.
This is also where the various methods of threat hunting take place. Data has been collected from its various sources, and now it needs investigating, validating, and assessing for levels of threat and risk to the organization. We’ll cover the different methods in Part 2 across Reactive, Proactive, and External Threat Hunting.
The finished product of this process must get to the right hands to be effective, so the intelligence cycle must loop back upon itself. These reports and assessments are delivered to clients as curated reports if that is the business model, or directly to leadership who commissioned the cycle in the first place.
Is this where it stops? What happens next?
Post Dissemination: Action, or no action?
Knowledge obtained from internal threat intelligence reports enable senior decision makers to take appropriate and proportionate levels of action, based on the information they now have. This is where analysts and threat hunters add value as they are able to contrast and compare external threat intelligence, balanced with their own findings, and produce insights that are specific and unique to their organization.
FEEDBACK: Response to Threat Intelligence
Leadership who receive threat intelligence reports will then provide feedback that creates a closed loop. Based on responses back to analysts and threat hunters, it will be clear what information and knowledge became useful and actionable. That will provide clarity as to how reliable, accurate and trusted the original data was at point of collection.
Ready to level up?
If you are ready to leverage threat intelligence in new ways, head to our webinar “Modernizing Security with Threat Reconnaissance” hosted by Team Cymru Fellow, Dave Monnier. You’ll gain a deeper understanding of how threat intelligence gathered externally can be exploited using your existing team.
In Part 2, we’ll start to dig into the different methods of threat hunting, reveal how the definitions have changed over time, and where they feature on the Team Cymru Threat Hunting Maturity Model.