As it happens, I will now work on a short and sweet paper on THREAT HUNTING .
So far, I’ve have seen two types of materials on THREAT HUNTING (TH):
Great materials written by the “security 1%-ers” for other security 1%-ers or, perhaps, for the …ahem… 2%-ers, i.e. less elitish elites [IMHO, much of it is mostly useless for the masses due tothe chasm] Crappy materials often written by vendors who corrupt the threat hunting term to attach a “cool” label to various security products [I’ve seen the hunting label attached to basic indicator matching and essentially to IDS or even to log search].In the next few weeks, I will try to aggregate a lot of knowledge (from within and outside Gartner, naturally) to come up with a quick guide to threat hunting for the non-elites. It will serve two purposes:
Cut through the hype to present a fact-based view of threat hunting (and if this will discourage some from hunting, so be it there were probably not ready anyway and should invest their resources in other security practices) Provide some practical starter tips and some value justification for starting (in the hopes that those who can benefit from it, will have a starter roadmap to it)Here is what I am thinking about for my early high-level outline:
TH defined Hunting and [alert] gathering TH as hypothesis testing TH as “proactive” IR Other useful TH metaphors TH examples Value of TH for the organization Business case for TH What types of orgs WIN at TH Resources | prerequisites needed for TH Tools Data People How to start TH at your organization Example TH processes and workflows Cautions and risksThoughts? Ideas? Pointers to more materials?