Let's be honest.

Threat hunting is not a new technique that's been used to battle attackers. It's been there for quite sometime. However, only recently has it gained popularity in modern security operation centers (SOCs). Organizations realize that cyberattacks are unavoidable, so they have shifted their security strategies to better equip themselves. As a result, threat hunting has become imperative.

Many organizations have recognized that a proactive security approach is vital for enhancing their security posture. They are now ready to invest time, money, and resources on this mature security model.

Let's now dive deeper into the threat hunting fundamentals.

Prerequisites for setting up a threat hunting program

To start any security program, you must first know your current status. A threat hunting program is no exception. The threat hunting maturity model (THMM) can help with this.

Tell us what do you do now, and we will tell you how to devise your threat hunting program.

Do you routinely collect security data, such as logs, from all components of a network? (This includes perimeter devices, servers, hosts, and applications.)
Do you have automated security alerting tools like Intrusion Detection System (IDS), security information and event management (SIEM)?
Does your SOC have a dedicated incident detection and response team?
Do you utilize open source threat intelligence feeds to detect suspicious events?
Do your SOC analysts use built-in indicators of compromise (IoCs) reports, and SIEM alerts to capture threats?
Do you make use of one or more third-party threat intelligence feeds to detect suspicious events?
Do your SOC analysts build custom correlation rules and alert profiles to capture new security incidents or incidents specific to your network environment?
Do you have designated threat hunters in your SOC, or a set of analysts who search for threats on a rotational basis?
Does your SOC hunt occur on a regular schedule: daily, weekly, monthly, etc.?
Are you measuring the performance of your current hunting techniques?
Are your threat hunters using different data analysis techniques to detect malicious activities?
Do your threat hunters develop or publish original hunting procedures based on their experiences in your environment?
Do you utilize or build a specialized threat hunting program, or tweak a tool to streamline the detection process and collaboration in your security team?
Have you automated successful threat hunting procedures? Are you monitoring output and optimizing to enhance the automated detection process?