As it happens, I will now work on a short and sweet paper on THREAT HUNTING.
So far, I’ve have seen two types of materials on THREAT HUNTING (TH):
- Great materials written by the “security 1%-ers” for other security 1%-ers or, perhaps, for the …ahem… 2%-ers, i.e. less elitish elites [IMHO, much of it is mostly useless for the masses due to the chasm]
- Crappy materials often written by vendors who corrupt the threat hunting term to attach a “cool” label to various security products [I’ve seen the hunting label attached to basic indicator matching and essentially to IDS or even to log search].
In the next few weeks, I will try to aggregate a lot of knowledge (from within and outside Gartner, naturally) to come up with a quick guide to threat hunting for the non-elites. It will serve two purposes:
- Cut through the hype to present a fact-based view of threat hunting (and if this will discourage some from hunting, so be it – there were probably not ready anyway and should invest their resources in other security practices)
- Provide some practical starter tips and some value justification for starting (in the hopes that those who can benefit from it, will have a starter roadmap to it)
Here is what I am thinking about for my early high-level outline:
- TH defined
- Hunting and [alert] gathering
- TH as hypothesis testing
- TH as “proactive” IR
- Other useful TH metaphors
- TH examples
- Value of TH for the organization
- Business case for TH
- What types of orgs WIN at TH
- Resources | prerequisites needed for TH
- How to start TH at your organization
- Example TH processes and workflows
- Cautions and risks
Thoughts? Ideas? Pointers to more materials?
Possibly related posts:
- Anton’s Favorite Threat Hunting Links
- No, Virginia, It Does NOT Mean That!
- Fusion of Incident Response and Security Monitoring?
- Alert-driven vs Exploration-driven Security Analysis
- Incident Response: The Death of a Straight Line
- Use Cases for Network Forensics Tools
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.