6. Responding to Threat or Vulnerability
In the previous steps, analysts have gathered enough data to answer their hypothesis. Two types of situations can occur. Either the real threat is found or the vulnerability is detected. In both cases, analysts action is necessary. The analysts must respond immediately when a real threat is identified. However, if there is any vulnerability, they should also resolve this before it becomes a really big nightmare.
7. Taking Final Action
Once hunters identify either a threat or vulnerability, then an incident response team take a charge to perform a remediation process. Moreover, it is decided that what resources are available and what time is required to take the final action. Any unwanted delay may pose grave damage to an organization in terms of penalties or reputational damage. Therefore, the incident response should be done in a timely manner.
8. Deploying Automation
Automation is one of the key components of a Security Operation Center (SOC). Your security tools such as SIEM generates thousands of alerts per day. In addition, there are numerous repetitive tasks that analysts perform on daily basis. Handling alerts and repetitive tasks manually are challenging tasks. This is why security automation comes into place.
In addition, hiring manpower is unaffordable for many organizations due to budget constraints. The enterprises look for automation tools as a last resort. Automation tools check whether an incident involves any Indication of Compromise (IOC).
Despite the criticality of automation tools, we cannot underestimate the importance of manpower. According to a Gartner Research Vice President, Anton Chuvakin, threat hunting program is human-centric, not a tool-centric. The role of analysts is essential to pursue threats proactively. It is because analysts have the anticipating power for expected future incidents.
9. Creating Documentation and Reporting to All Stakeholders
All details of threat or vulnerability must be documented. In fact, documentation helps you to retain the records of the previous incidents. Using this record, analysts can check whether the new incident has any link with the previous incident.
Reporting about the incident to all stakeholders is also crucial. For example, you may have business partners, outsourcers, or other security managers who are associated with your organization. They are equally affected if the incident occurs successfully. For example, GDPR penalties due to non-compliance may be applied to all stakeholders who are a part of the security architecture.
10. Lesson learned
A complete threat hunting program allows security leaders to learn lessons from previous incidents. Fail to learn from previous incidents often results in large incidents. Understanding the root causes of previous incidents help analysts to avert upcoming incidents. It can also help to identify loopholes in current security posture and enhance security defence to thwart future incidents.
In this article, we have learned about how to initiate a threat hunting program. It has been realized that proactively looking for threats and vulnerabilities is much better than responding reactively to them. In a nutshell, better prevent the happening of the incident instead of responding to them after its occurrence. It is possible if you initiate a threat hunting program in your Security Operation Center (SOC).