12 Measuring success

 

This chapter covers

  • Measuring and reporting success
  • Defining success in the context of threat hunting
  • Identifying and discussing the areas for measuring success
  • Identifying and describing important threat-hunting metrics
  • Reporting success to stakeholders
  • Communicating discoveries

Until now, our primary focus has been on conducting threat-hunting operations: uncovering threats, conducting incident investigations, and collaborating with other teams to request information or share findings. In this chapter, we consider governance and answer a few essential questions:

  • Did our work add value to the business?
  • How can we evaluate that value?
  • Should we have done some things better?
  • How can we improve the threat-hunting practice?

In this chapter, we define success in the context of threat hunting. We outline methods for establishing and extracting essential measurements to calculate key-value metrics. In addition, we provide valuable insights into good practices for reporting and communicating threat-hunting performance to different roles within the organization.

12.1 Why we need to measure and report success or failure

12.2 The ask

12.3 Threat-hunting metrics

12.4 Scenario: Uncovering a threat before an adversary executes it

12.4.1 Research work

12.4.2 Hunting for SQL successful injections

12.4.3 Checking the code

12.4.4 The threat-hunting team saved the day

12.4.5 The penetration testing team confirmed the finding

12.4.6 Threat hunting and executed threats

12.5 Reporting to stakeholders

12.5.1 Reporting to the executive team

12.5.2 Reporting to the CISO

12.5.3 Reporting to the security operations manager

Summary