Chapter 2. Should You Hunt?
Threat hunting is a gamble; many hunts will turn up dry, many other hunts will produce mundane results, and every now and then, the hunters uncover something earthshaking. Threat hunting is also expensive: it takes your most experienced personnel from more immediate concerns to deal with potentials. Deciding when and how to hunt is a risk-reward calculation. This chapter is an overview of those risks and whether you are ready to hunt; at the completion of this chapter, you should be able to evaluate your own organization for whether you can hunt and be able to identify suitable personnel. This chapter is structured around three checklists: data (information collection and awareness), operations (the impact of the hunt), and personnel (the hunters). In each section, I begin with this checklist to determine your suitability, then walk through each of the topics on the checklist. These checklists are intended as guidelines, rather than fences—at the end of each section, I explicitly discuss when an environment does not support hunting.
Data Requirements
The data sources listed in “Data Suitability Checklist” are a breakdown of the basic data that a threat hunter might use. More data is almost always good, but threat hunting data is often low-frequency, high-value information—it’s stuff that is going to end up being redundant. For this reason, it’s good to have a data collection and retention strategy that supports diverse data: network data, host data, ...
Get Threat Hunting now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
