I have been busy celebrating weddings with families and friends for a few weekends, but I am back with the latest hurdle in program building - scalability. I haven't stopped working on the hunt analytic repo, but I have switched to playing in AWS DynamoDB.
Traditionally hunting has been one hunter creating a hypothesis and then hunting on that hypothesis to find attacker activity. Current resources even take this a little further and have the disruption and eradication of the attacker activity also done by hunters. This approach may work for smaller organizations where one employee wears many hats, but it doesn't scale well and it makes it hard to tell a compelling story.
So let's assume you are creating a Hunt Team, one that is only responsible for hunting and not burdened with incident response or remediation. How do you scale the team to cover as many high value targets as possible and tell a compelling story?
Threat Hunting as a Pack
Experienced hunters tend to be a subject matter expert in one domain. Due to my computer forensic background I am stronger on endpoint than network and that doesn't extend to the mobile operating systems.
High value targets and potential activity on, to or from them doesn't restrain itself to one area of domain expertise. To adequately cover a "crown jewel" for attacker activity, a pack of hunters offers a variety of applied expertise.
Let's play this out.
You determine a "crown jewel" to be your companies online store. The store has a presence via the web and a mobile application and you are concerned about the store being compromised and customer payment information stolen. Your executives ask you to organize a hunt to look for this type of activity. How do you provide them the greatest peace of mind? A comprehensive hunt encompassing all domains. This approach more closely mimics incident response -- only without the knowledge the attacker is there.
Pack Roles and Responsibilities
Before deep diving into the roles I want to mention that right now I am not sure that during one hunt a team member can't be more than one role. Our team is still experimenting with how hard to draw the lines between the roles.
The Hunt Lead's main responsibility is the on-time completion of a good hunt. This requires keeping hunters on task and removing any potential roadblocks for the rest of the team. It also includes socializing the hunt before and after. It is easy for a hunter to go down rabbit holes; the lead has to keep hunters focused on the hypothesis for the hunt.
The gatherer's main responsibility is making sure the findings of the hunters, that aren't related to suspicious activity, are documented for the teams that need to act on the findings. They also act a backup to the lead and are in a good place to provide quality assurance for the post hunt brief.
Hunter's are responsible for the collection of all the data needed for the hunt and then parsing, normalizing, validating and enriching the data -- and of course the whole threat hunting part too. Any issues during the hunt are escalated to the Hunt Lead. The Hunter also has to document every analytic used and the findings during their hunt.
Trackers make sure that hunters can keep hunting by investigating any suspicious findings and passing them to the incident response team once they are validated. Tracker's can take part of multiple hunts at a time for even more scale.
What role did I forget? Did I separate too much? Share your thoughts below to help all hunts teams solve this problem of scale.