2 Building the Foundation of a Threat Hunting Practice
This chapter covers
- How to develop a threat hunting hypothesis
- How to document a threat hunting play
- The importance of threat intelligence to threat hunting
- Building a threat hunting framework
- The detail of the threat hunting process
- Threat hunting role and responsibilities
- Important frameworks and standards
- How to evaluate the maturity of a threat hunting practice
In Chapter 1, we established foundational threat hunting concepts. In this chapter, we discuss how to create a threat hunting framework. We start with an overview of existing frameworks and standards and how and where they cover the topic of threat hunting. For example, we discuss how and where a standard like NIST Special Publication 800-53 Rev 5 covers threat hunting and how a framework like MITRE ATT&CK can be used to establish hunts based on threat tactics, techniques, and procedures.
We then describe how to start a hunting practice and improve its maturity over time, supplying you with processes and templates to kickstart the work. We then describe the general role and responsibilities of the threat hunter using a responsible, accountable, consulted, and informed model.
Finally, we describe data sources and their importance to threat hunting and provide an overview of common data sources and sets such as Windows events, Sysmon, Linux events, network flows, and firewall events.