Threat hunting continues to be a priority for security teams. Many organizations have plans to initiate or expand threat hunting programs. All successful threat hunting begins with having the right data to answer the right question at the right time. Without the right data, there is no hunt.
When you ask a security professional what they mean by threat hunting, it is common to get one of four answers:
1) Proactively looking for new, unknown threats.
2) Searching for new threats recently identified by others in the cybersecurity community.
3) Conducting more thorough investigations of threats detected on the company’s network.
4) Some combination of the answers above.
For threat hunting to be successful, you must be able to quickly answer the questions you want to ask. That means easy access to a broad range of data sources for query and analysis.
Below are the top six requirements to consider for a successful threat hunting environment. To ensure your organization is properly equipped, ask yourself or your vendors to answer the following questions. If the answers to all of the questions are yes, you’re ready for threat hunting success.
- Network visibility – Can you get visibility into all of your network activity? Do you have the flexibility to access packets in the cloud, on premises and in hybrid environments? Is it easy to integrate packet brokers, packet distribution layers and other sources?
- Breadth of data sources – Do you have the option to collect as much, or as little, data as you need and expand data collection as required? Can you ensure you aren’t limited to a narrow range of data? Are you able to generate metadata from a wide variety of sources, such as Suricata, Zeek, DPI libraries, etc.? Do you have access to all of the data streams Zeek produces and can you edit and create scripts? Are you able to get data and alerts from any existing or new Suricata rules, and threat intelligence, geolocation and other data contextualization and enrichment?
- Quick access to required data – Can you retrieve a broad range of data, including high-level summary and count metadata, protocol-specific metadata (e.g., NetFlow connection metadata), and DNS and raw PCAP data? Does the system expose raw data and make it easy to view PCAP data? Are you able to access the specific types of data you need via an API, query builder, or directly in the Zeek scripts and analytics that produce them?
- Easy to use analytic and investigative workflows – Can you quickly access metadata and PCAP data from the same dashboard and tune your system to provide all the data you need? Are you able to select data sets and features, build queries using a visual query builder, and save data in a shoebox for future use? Is it easy to write in-depth analytics that expose the underpinnings of your system? Do you have detailed analytics options, ranging from simple queries to advanced scripts or analytics, so your solution is useful for all members of your team, from the least experienced to the most advanced threat hunters? Can you export data, so you can perform additional data science, script development, etc.? Is it easy to integrate data into your SIEM and existing workflows via an API or data export tools? Ultimately, can you ask questions the way you want to ask them to get the answers you need?
In addition to four requirements above, it is important to have flexible storage and management options to ensure data is easily accessible when and where you need it.
- Flexible storage – Can you quickly expand the types of metadata you collect, and the volume of data you store, as your business grows and evolves? Is it easy to access historical data for further analysis? Do you have flexible, fine-grained control of the data and attributes you generate and store to ensure your environment is optimized for the types of threats and activity you encounter?
- Automated, centralized management – Is it easy to manage and administer the system and all of the data it produces? Can you quickly apply updates and other changes to all sensors at once to avoid time consuming manual process? Are you able to automate policy creation and manage changes centrally to free up critical resources to focus on threat hunting?
The Bricata network security software platform is optimized for threat hunting and includes robust management options. The flexible storage capabilities allow you to add data nodes on the fly to meet your evolving metadata retention and performance goals.
Bricata allows you to generate all the data you want, ask the questions you need, and get the answers required for you to quickly stop threats and protect your network. At Bricata, we make it easy for you to get data and hunt.