You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment.

Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components of a program? How do you measure its success?

Despite the increasing demand for threat hunting, a prescriptive framework, which isn’t tied to a vendor, is hard to come by. Security leaders often ask our X-Force team, “Can you teach us how to do threat hunting? Are there any resources that can walk us through this?”

After hearing those questions repeatedly, Grifter, X-Force Head of Research John Dwyer and X-Force Global OT Incident Response Lead Sameer Koranne did some exploring. They searched publicly available sources for a central place that covers the operational pieces of threat hunting, including what an internal team looks for, processes that ensure a program’s success, and an overall definition of threat hunting and potential outcomes. They looked for technical and non-technical documentation and couldn’t find anything. Even the definition of threat hunting had a thousand different explanations. If an organization can’t define what threat hunting means, how will it know if its team is being successful? How will the team carry out the right vision of what threat hunting should entail? Companies must set their definition of threat hunting, its goals, why it’s important for them, and how they can direct their threat hunters to carry out their vision before they build a program.

To fill the framework gap, the X-Force team built their own. They will present it at the 2022 Black Hat conference. I asked them to provide a high-level summary of the talk. Below is the information they shared.