Skip to content
Security Operations

Threat Hunting Checklist: Building an Effective Toolset

June 9, 2020

Threat hunting is one of the most critical activities performed by SOC teams. Once an alert triggers and a tier-1 analyst assesses it and sends it up the line for further evaluation by a more senior analyst, the race is on. Hunting down the threat as quickly as possible, before it can wreak havoc on the organization, becomes the top priority.

However, while the majority of organizations with a SOC have skilled analysts who handle threat hunting, evidence indicates that many organizations face a range of challenges with the effectiveness of their threat hunting tools and programs.

In this article, we’ll review a four point checklist for building an effective threat hunting toolset:

  1. Provide the ability to hunt across all of your data
  2. Enable creative detective work and hypotheses testing
  3. Automatically enrich your data with context
  4. Integrate with your investigation workflow

The need for more effective hunting tools

The ineffectiveness of threat hunting teams is an ongoing source of frustration and pain, according to a survey by the Ponemon Institute. 54% of respondents say their organizations have a threat hunting team, which is the good news. The not-so-good news, however, is that nearly half of those who have threat hunters on the payroll (45%) say their organization is not effectively leveraging the skills of threat hunters to stop security incidents. And another 16% say they aren’t even sure whether their threat hunting activities are effective or not.

Take a look at this table. It identifies the top reasons respondents feel their organization’s threat hunting efforts are suffering. Analyst overload—too many indicators of compromise to track, cited by 61%, and too much network traffic to compare against IOCs, 50%—are the top reasons cited. Other reasons include lack of internal resources/expertise, and too many false positives.


What can organizations do to end the frustration and, most importantly, improve their threat hunting?

A 4-point checklist for your threat hunting toolset

#1: Provide the ability to hunt across all of your data

In today’s relentless threat environment, it’s no longer sufficient to build lines of defense around your business to protect against attackers. You must respond to ongoing attacks proactively and iteratively. Modern cybercriminals are smart, determined, and well-funded. Their threats are cleverly crafted to slip past an organization’s defenses. Your organization can accelerate the hunting process by identifying threats before they inflict damage by analyzing the entire attack surface with the goals of uncovering historical threat patterns and exploring new data for ongoing attacks. Enabling threat hunters to run queries across any volume of data, any number of sources, and any time horizon using multiple filter criteria’s to proactively identify threats will increase impact of tools.

#2: Enable creative detective work and hypotheses testing

Manual efforts alone make it virtually impossible to detect evidence of an advanced threat. Effective threat hunting requires three key ingredients: speed, scale, and performance. Your analysts need complete visibility along with the flexibility to rapidly test changing hypotheses. The most effective cyber threat hunting tool is one that enables analysts to quickly and intelligently query and pivot across petabytes of diverse data to identify and take fast, decisive action against IOCs, while also leveraging historical data to map advanced threat campaigns across time.

#3: Automatically enrich your data with context

The ideal threat hunting tool will unlock analyst creativity by providing easy access to three critical elements: threat and malware intelligence, behavioral observations, and real-time context for richer analysis. With legacy SIEMs, analysts must manually query multiple sources and systems to comprehend which threats truly matter and then stitch together what their potential impact could be. An effective workbench of threat hunting tools should enable threat hunters to run queries across any volume of data, any number of sources, and any time period using multiple filter criteria to identify threats proactively. At the end of the day, your threat hunting process will accelerate if you are able to automatically populate events in an actionable context.

#4: Integrate with your investigation workflow

Detecting threats is difficult enough; exploring and eradicating makes the overall process that much harder. For the greatest effectiveness, your threat hunting tool should provide the insight needed to isolate the source of an incident and drive appropriate response activities. On top of that, build a toolset that makes it easy for analysts to easily add hunting results as context to an existing investigation or to begin a new one. This empowers analysts to take definitive action against threats as well as continuously improve their work by streamlining the process to incorporate findings into investigation workflows. The end result will be more effective and efficient SOC operations, reduced redundancy, and more time to prepare for and conduct the inevitable next hunt.

To learn how Devo provides threat hunters a single, unified platform to pivot between alerts, investigations, and hunting, watch our on-demand webinar with SANS.

More Data. More Clarity. More Confidence.