As it happens, I will now work on a short and sweet paper on THREAT HUNTING.
So far, I’ve have seen two types of materials on THREAT HUNTING (TH):
- Great materials written by the “security 1%-ers” for other security 1%-ers or, perhaps, for the …ahem… 2%-ers, i.e. less elitish elites [IMHO, much of it is mostly useless for the masses due to the chasm]
- Crappy materials often written by vendors who corrupt the threat hunting term to attach a “cool” label to various security products [I’ve seen the hunting label attached to basic indicator matching and essentially to IDS or even to log search].
In the next few weeks, I will try to aggregate a lot of knowledge (from within and outside Gartner, naturally) to come up with a quick guide to threat hunting for the non-elites. It will serve two purposes:
- Cut through the hype to present a fact-based view of threat hunting (and if this will discourage some from hunting, so be it – there were probably not ready anyway and should invest their resources in other security practices)
- Provide some practical starter tips and some value justification for starting (in the hopes that those who can benefit from it, will have a starter roadmap to it)
Here is what I am thinking about for my early high-level outline:
- TH defined
- Hunting and [alert] gathering
- TH as hypothesis testing
- TH as “proactive” IR
- Other useful TH metaphors
- TH examples
- Value of TH for the organization
- Business case for TH
- What types of orgs WIN at TH
- Resources | prerequisites needed for TH
- How to start TH at your organization
- Example TH processes and workflows
- Cautions and risks
Thoughts? Ideas? Pointers to more materials?
Possibly related posts: