In early August, Black Hat celebrated 25 years of its annual event with a series of trainings, briefings and keynotes. Industrial Cybersecurity Pulse attended several of the briefings, including The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize and Scale Threat Hunting, by John Dwyer, head of research; Neil Wyler, global lead of active threat assessments; and Sameer Koranne, Global OT lead, all with IBM Security X-Force.
Threat hunting history
Threat hunting is one of those interesting components of cybersecurity where everyone knows they should be doing it, but not everyone can fully articulate what threat hunting is. As the IBM team said during the talk, “Ask 10 infosec professionals to define threat hunting, and you’ll get 11 different answers.”
Threat hunters are regularly tasked with being witness to and evaluating the hunt programs of Fortune 100 companies, state and national governments, and partners and managed service providers. This experience has made it clear that one person’s definition of threat hunting does not necessarily equal another’s.
If you do an Internet search for “how to build a threat hunting program” there are plenty of results, and some include great insights into what makes a threat hunting program effective. However, they said, while resources do exist, they’re often tied to a specific vendor or a particular product. There’s useful information, but you’re left trying to find a way to make the proposed processes and techniques work for your environment and not the one driven by the vendor.
With that in mind, the IBM Security X-Force team used the quote, “If you don’t like the road you’re walking, start paving another one,” as the basis for creating a new threat hunting framework that can help organizations start a threat hunting program as well as improve threat hunting operations for existing programs. This new framework is free and not tied to any particular technology; it’s just about enabling more effective threat hunting.
Over the years, cybersecurity professionals have responded to far too many incidents that could have been prevented with solid threat hunting operations. According to the team, this framework will enable organizations to take control of building a threat hunting program by providing a clear path to operationalizing threat hunting as well as a well-defined threat hunting process to ensure they are set up for success.
Hunting high performers
The IBM group said it should be the environment that is driving tactics, techniques and procedures (TTPs). The asked the question: Is it more important to be right or to be effective? For effective threat hunting, you must let the goals of the program determine the definition. They said it’s time to get “big feelings” about effectiveness, not about what is or isn’t threat hunting.
To come up with their new system, they went on a two-year hunt for high performers, looking to find groups who had solid goals, who were achieving their goals and who were bringing value. What they discovered is that:
- High performers established a long-term vision and a well-defined mission.
- The leaders were passionate about ensuring that the program aligned with the mission.
- They had clear and efficient processes that the hunters actually used.
- There was solid execution.
They set out to establish a threat hunting paradigm with clear goals and vision so everyone knows what those are. “That is where the magic happens.”
Failed threat hunting
The IBM team also looked at companies that failed in setting up an effective threat hunting program. They said, “You cannot look in a new direction by looking harder in the same direction.” These failed programs shared some characteristics:
- The first thing failed threat hunting resources do is define what threat hunting is.
- Most resources are hyper focused on technical components of finding evil.
- If the fundamental pieces aren’t there, the tech can’t save you. You must start with the building blocks before you start executing.
- They are often tied to a particular vendor, technology or consulting service.
According to the IBM team, it shouldn’t be pay-to-play in threat hunting. You can’t tie your organization to a vendor before you know what you’re hunting. Ultimately, if you lead with tech, you’ll fall behind in effectiveness.
The new framework
As a result of this research, the team started creating a new, open threat hunting framework that is vendor agnostic and community driven. They said we are in a data business and do data analysis all the time. We need to start with good data or the output will be poor. “Garbage in, garbage out.”
The process should begin by identifying what problem you’re trying to solve and what threats are applicable to your environment. Then, filter the choice down to get your TTPs based on identified threats. But none of this will be effective if you are not able to measure success. There should be continuous improvement, so we can all improve the framework together.
They concluded by saying that this is just the beginning, and laying out a few points to remember about this new threat hunting system:
- It’s community driven; not a vendor trying to sell something.
- It will feature continuous evolution.
- It’s vendor agnostic but all technologies are welcome.
- The community should tell them what they’re missing.
- Documentation matters; being able to share what you have can be incredibly valuable to other organizations.
- The magic is in the humans and in working together.
Finally, they provided the site where you can explore their new threat hunting framework. To check it out, go to Github.com/TactiKoolSec/OTHF.