How Target evolved its threat hunting programme: iii key steps

Target decided to re-evaluate its successful threat hunting program and found it could do better. This is what they did.

target threat hunting program sitting duck duck shooting gallery by roz woodward getty 2400x1600
Roz Woodward / Getty Images / Target

Threat hunting – proactively searching through your own company's networks to chase for attacks that might evade other security measures – often signifies a company with a mature and well-resourced security system. But just as threat actors are constantly evolving, organizations should be willing to reassess and change their security programs, even if they think they are working well.

Retail giant Target, for case, had a mature threat hunting program, but the visitor decided information technology was time for a refresh to ensure the program was fit for purpose and all the same helping the business organization.

Evolution of a mature threat hunting program

Target's threat hunting program had been in place for five years when it decided to exercise a "soup to nuts" reworking of the program, the company'southward Primary Engineer of Cybersecurity David Bianco told attendees at the SANS Threat Hunting Summit in London last calendar month.

"It was time to evolve that program into something more modernistic," he said. "Not that there was anything wrong with it, but nosotros had just had essentially the same program for several years and wanted to run across if there were any updates that should be made."

Bianco said that Target's previous programme was mature enough to exist able to collect and use a high volume of quality security data from around the enterprise to create new analysis procedures. He labeled this a level 3 on Sqrrl'due south Cyber Hunting Maturity Model. "That is a great identify to be," he said. "Most hunting teams would kill to exist able to say on this model, 'We are definitely a level 3'."

The goal was to get Target to level 4 on that maturity scale and move beyond human being-scale detection and drive more automation in its security processes. "Organizations at this level are able to non only successfully find those new incidents," said Bianco, "only the central difference is they care for their threat hunting program more as a driver for the improvement of their automatic detection."

How to assess your threat hunting program

Before upgrading a threat hunting program, it's important to assess what's working and what isn't. At the showtime of the refresh Bianco spoke to key stakeholders to get their perspectives of the program. He asked the people running the threat hunting plan, the executives who were sponsoring information technology, as well as those receiving the briefings from the team what was and wasn't working. He as well sought to identify if there were any goals they wanted to achieve that they previously hadn't thought possible.

At the same time, Cat Cocky, atomic number 82 data security annotator at Target, was brought in and wanted to proceeds insights into how the electric current program operated. She had similar roundtable discussions with the SOC analysts involved in the hunting to understand where they felt things were and weren't working. She then joined the hunting operation to see the process firsthand.

"I sat in on a hunt and then I could become a baseline of where we're at and why nosotros do what we do so that if nosotros exercise change it, we know the cascading effect of those changes," Self said. "There's a lot of tribal cognition inside of hunting that yous don't really see until yous actually sit and participate in a hunt: Why that is our go-to tool? Why practice nosotros search environments using this method?"

From those discussions and observations, Target identified three areas to improve:

  • Program focus: Realign the goals of the programme with the company's needs.
  • Operational consistency: Ensure that the programme runs as smoothly as possible on a recurring footing.
  • Hunt topic strategy: Find more efficient ways to signal the threat hunting program at specific problems that would benefit the company.

Footstep 1: Focus the goals

Target's original threat hunting operation was set up to detect security incidents that automated detection had missed, with a secondary goal of identifying gaps in visibility. Over time, that focus had shifted slightly and then needed realigning, says Bianco. "The programme was run by our SOC folks, and although it [finding security incidents] was notwithstanding a large component, their idea of it had morphed over time to be less about finding incidents and ensuring that we had proper visibility to using threat hunting as a mechanism for knowledge and skills transfer betwixt the SOC analysts."

During the refresh, the company wanted to move the program'southward goals away from finding incidents or knowledge transfer. Although they were even so of import components, they would be by-products of the primary focus of enabling better automatic detection.

"Our enterprise tin can't rely on human-scale detection. We take to utilise humans to meliorate the automated scale detection," says Bianco. "Our job is not but to discover new security incidents. Nosotros will notice those every bit a byproduct of doing our job. Our job is to produce prototypes, or proofs of concept, of new detection mechanisms or improvements in our existing technical detection mechanisms."

Pace 2: Ensure operational consistency

Before the refresh Target had no dedicated, full-fourth dimension threat hunters and relied on bringing in teams of SOC analysts who conducted calendar week-long hunts on an eight-calendar week rotation. While having a different prepare of analysts involved each time a new chase started helped spread knowledge around the squad, it often led to operational inefficiencies.

In add-on to their full-fourth dimension roles, the analysts working at Sqrrl'south level 3 and leading the chase were expected on their rotation calendar week to come in with a hunt topic and take all the necessary resources and information for the level 1 and 2 analysts ready ahead of time.

"What would happen is, sometimes the level 3 analyst didn't have that prepared," says Self. "Then nosotros would be pulling the data on day one, formatting it 24-hour interval two, only really hunting on days 3 and four, and so presenting our findings on day v. We were asking as well much our level 3s and of our rotational personnel to come in hither and exercise all of this work."

To remedy this, Target decided to create a dedicated threat hunting team, and the company at present has 3 full-fourth dimension threat hunters. The company besides kept the idea of a rotating team of SOC analysts joining in on hunts to go along the cognition transfer. The i-week cadence of hunts was likewise kept every bit the hunt team felt this would let them to dive deep into individual topics and quickly pivot as required.  Nevertheless, a 2-week period was introduced between each week-long chase to give the hunters more than time to prepare, certificate findings, and follow up with other teams.

"We wanted to be able to, when we got in on twenty-four hours one, actually starting time hunting and hunt with reliability so our operations were a lot more predictable and have a reasonable expectation of how that period would get," said Self. "Hiring total-time threat hunters was a central chemical element. That was really what allowed us to be able to execute every single thing we talked about: actually baking in your fourth dimension in preparation, being able to create the full documentation of what happened and how to iterate on that next time, and giving our people fourth dimension to actually prepare adequately for that next hunt."

Step 3: Define the strategy

The 3rd part of the program refresh was to alter how Target picked topics to hunt on and add together more strategy around prioritization. Previously the company'south L3 SOC analysts gathered in a room and floated ideas on a whiteboard. Later on discussions amidst the analysts, the chosen hunt topics were then scheduled on a calendar. While the analysts might be subject-affair experts, Self and Bianco say that the downside was these were often "a bunch of random ideas" and the company needed a better way to focus on what was important.

"We kept the idea that our subject-matter experts could contribute possible topics or hypotheses for united states," said Bianco. "Nosotros expanded that to explicitly solicit more ideas from more people in our extended security teams, but that idea basically still held."

While they kept the collaborative nature of initial discussions, the company decided on new assessment criteria to prioritize which chase topics posed the greatest risk to the business concern. The new assessment was based on iii take a chance factors: prevalence of the proposed threat topic among Target's most closely monitored threat actors, the prevalence of said threat beyond wider industries and infrastructures, and the business run a risk impact of said threat if information technology did hit the business concern. Each of those iii factors was rated by the relevant team – threat intelligence, threat hunting and detection engineers respectively – and given a 0 to 5 scoring (0 being no risk, five beingness high risk).

Hunts are and then grouped together in six- to eight-calendar week sprints. Sometimes these sprints are themed – Target's first hunt dart was themed effectually host-based detection on Macs – and sometimes they are solely around priority scoring or special requests from the CISO or other executives if they required something specific be looked at. "That gives united states a really good mix of potential long-term program improvement for cyber security," says Bianco, "but also possibly things that are short term urgent for us to do hunting on."

Self offers these cardinal takeaways for companies looking to improve their current programme:

  • Hire full-fourth dimension threat hunters.
  • Requite those hunters time to prepare before a hunt and document findings after a chase.
  • Ensure operational consistency and utilise a proper strategy effectually what teams should be focusing on during hunts.

Dan Swinhoe is UK Editor of CSO Online

Copyright © 2020 IDG Communications, Inc.