Understanding the Reasons Behind Our Threat Hunting Prioritization

When deciding what to hunt in threat hunting, it's crucial to understand why we choose certain targets over others. With a wide range of potential threats and intelligence sources, determining our focus areas helps us allocate resources effectively and enhance our security posture.

If your team operates more like a Managed Security Service Provider (MSSP) than an individual corporation, this means you often have an external perspective and may not have full visibility into all internal systems. Therefore, our approach to threat hunting must be strategic and well-prioritized.

Threat Hunting Cycle Reminder

1. Hypothesis Formation
2. Investigation via Tools
3. Uncover TTPs/Behavior/Activity
4. Develop New Detections
5. Enrich Analysis and Automate Hunts
6. Repeat the Cycle

Reasons Behind Our Threat Hunting Choices

1. Business Impact
   • Financial Consequences: Preventing losses due to breaches or downtime.
   • Reputation Management: Protecting our and our clients' reputations.
   • Operational Efficiency: Maintaining smooth operations without interruptions.
   • Value Delivery: Ensuring our efforts provide tangible benefits.
2. Risk Management and Business Continuity
   • Exposure Assessment: Evaluating critical assets for vulnerabilities and exploitation potential.
   • Visibility Gaps: Identifying areas where monitoring is insufficient.
   • Business Continuity: Ensuring operations can continue uninterrupted in the face of threats.
3. Proactive Measures
   • Addressing Exposures: Identifying and mitigating exposed services or sensitive information.
   • Policy and Configuration Review: Ensuring security policies and configurations are effective.
   • Preventative Action: Acting before threats materialize.
4. Threat Intelligence
   • Identifying New TTPs: Discovering new tactics, techniques, and procedures used by threat actors.
   • Emerging Threats: Staying ahead of new threats and campaigns.
   • Critical CVEs: Monitoring critical vulnerabilities that could be exploited.
   • Specific Targets or Campaigns: Focusing on threats relevant to our clients or industry sectors.
5. Resource Optimization
   • Personnel Availability: Considering the skills and availability of our team members.
   • Tool Utilization: Leveraging tools at our disposal effectively.
   • Time Management: Prioritizing activities that offer the greatest benefit.
6. Continuous Improvement and Efficiency
   • Lessons Learned: Applying insights from past activities.
   • New Detections and Tools: Implementing new technologies and detection methods.
   • Process Maturation: Refining our methodologies for better outcomes.