Threat hunting maturity model
Before moving forward in describing the threat hunting maturity model, we need to understand what threat hunting is. Threat hunting is the act of proactively and iteratively searching a network to detect and isolate advanced threats that exploit organizations’ existing security mechanisms. Hunting can involve the hunt of various type of activities that malicious actors can perform. Hunters use the specific hunting techniques which are the best for a particular activity they are trying to discover.
Hunting can involve both machine-based and manual techniques. Unlike other automated systems, such as SIEM, hunting involves human capabilities to hunt threats with more sophistication. However, automation (such as automated alerting) should still be one of the primary features of the hunt.
The aim of this article is to teach you how organizations can measure their current maturity level and what improvements are required to enhance their security posture. The maturity level determines the capabilities of the organizations, at which time it can be determined to what extent these organizations are capable of hunting and responding to threats.
According to a 2018 Threat Hunting Report:
“From a maturity perspective, nearly 15 percent [of respondents] believe they are cutting-edge, up 8 percent from last year. However, 33 percent of respondents state that their capabilities are limited, a jump of nearly 6 percentage points higher from the previous year.”
The Hunting maturity model (HMM)
Hunters must consider what makes up a good hunting infrastructure by taking the definition of hunting into consideration. When assessing a corporate organization’s hunting ability, you need to consider the following factors:
- For hunting, organizations have to provide data to the hunters — the quantity and quality of such data are important considerations for a reliable hunt
- What ways organizations use for visualizing and analyzing numerous types of data
- The types of automated analytics the organization can apply to data to facilitate hunters
In order to determine hunting maturity, the quantity and quality of the data that an enterprise periodically gleans from its IT environment is a significant factor. For reliable and effective hunting, organizations should provide as much data and as many types of data as possible. In this way, the hunters will be able to provide more effective results. Styles of hunting and hunting techniques vary among hunters. To determine their style and hunting techniques, we need to see what toolsets they use — for example, how they generate the visualization and utilize analytics with the help of these toolsets.
HMM incorporates five levels of organizations’ hunting capabilities, and these levels are categorized into five steps ranging from HM0 (the least capable) to the HM4 (the most). The following sections delve in-depth into the key characteristics and capabilities of each maturity level.
HMM Level 0: Initial
At this level, organizations employ automated alerting solutions such as antivirus software, SIEM or IDS to detect malicious activities in the face of a corporate network. They also use threat intelligence indicators or feeds of signature updates, and they may even generate their own indicators or signatures. However, feeding them directly into monitoring systems is essential.
Put simply, this level relies primarily on automated alerting. There is little or no routine data collection. Analysts’ access to the data may or may not be quick and easy.
HMM 1: Minimal
Like HMM0, organizations still depend heavily on automated alerting to perform their incident response process. But unlike HMM0, where a routine collection of IT data is minimal if at all, this level involves a moderate or high level of routine data collections that organizations feed into their central locations, such as SIEM.
When new threats approach a company’s network, analysts are advised to extract key indicators from threat-related reports and look for historical data to find out if they have been identified in the short run. Despite its minimal nature, any type of hunting can occur at the HMM1 level due to its search capability.
There are several great hunting procedures developed by others and you can find them easily on the internet. These procedures are used to integrate a particular analysis technique with an expected type of input data to identify a single type of malicious activity. For example, gathering data about malware that is trying to download or display advertisements on the computer interface.
In fact, many enterprises develop different procedures periodically and they are accessible to others. At this level, companies are capable of learning and applying these already developed procedures and can make trivial changes to them. However, organizations are unable to create completely new procedures at this level.
HMM2 organizations typically gather a large or sometimes very large amount of data because most of the available procedures rely on least-frequency analysis.
Unlike the HMM2 level, which relies on procedures developed by others, the organizations at level HMM3 create and publish their own data analysis procedures and collect a high or very high level of routine data. With this data, they will have a broad spectrum of choice in where they can pivot and know what to hunt. Several advanced analysis disciplines incorporated at this level including machine learning, data analysis, and data visualization. More importantly, HMM3 companies must have highly-skilled hunters who completely understand data analysis techniques and apply them to detect malicious activities.
The HMM4 level is similar to level 3, but the main difference between them is the aspect of automation. At this level, analysts operationalize any successful hunting process in order to turn it into automated detection. Doing so release the analysts from the burden of carrying out the same processes again and again. In this way, they can focus on creating new processes or improving existing ones, which results in constant enhancement to the detection mechanism as a whole.
HMM4 organizations have a robust security posture and, therefore, they are very effective in curtailing notorious adversaries.
What do I need to know about the HMM and the concept of automation?
We’ve looked at the concept of automation during the level HMM0 through HMM4. HMM4 companies always prefer automation as they create new hunting solutions. Conversely, HMM0 enterprises rely heavily on their automated detection system, whether it is created in-house or provided by the vendor.
Analysts spend a good deal of time to create new signatures for enhancing their detection system. However, their way or method of finding hostile actors on the network always remains the same. More importantly, the improvement of the automated approach for hunting is crucial. If they are not doing so, hunting is not taking place at all, even if they are using the most sophisticated security analytics tools.
On the other hand, HMM4 enterprises are always interested in trying new techniques to find out adversaries in their critical systems. Detection products that are purely automated have no curiosity, agility, or inventive capabilities, which are certainly integral to HMM4. If you want to deploy an HMM4, you cannot simply purchase an automated system. However, an effective hunting platform can definitely deliver your analysts and team a huge boost in sophistication.
What are the applications of HMM?
When a security management in an organization needs to acquire a new hunting team, they always take an active detection strategy into consideration, but they still are confused over how to explain what hunting team’s capabilities should be in reality. However, the maturity model will certainly help them in this regard. Any company who wants to take the initiative of viable hunting program can get aid from the maturity model, helping them to know what an excellent first capability is expected to be.
To the organizations that already perform hunting, it is essential for them to know that the HMM can help to gauge their current maturity and to improve further. A hunting team can make a comparison of its current capabilities with those explained in the model. After that, they might guess how to develop their data gathering abilities or/and skills to attain the next level of maturity.
- A Framework for Cyber Threat Hunting, Sqrrl
- Things That Make You Go HMM, David J. Bianco
- 2018 Threat Hunting Report, Alert Logic