As important as it is to identify and eradicate threats hidden in your network, figuring out how they got in and taking steps to prevent future attacks is perhaps the most important aspect of threat hunting.
Sometimes the best threat hunting campaigns uncover nothing at all. The benefit here is you now tangibly know that the avenue investigated is not currently a risk to your organization.
As important as it is to identify and eradicate threats hidden in your network, figuring out how they got in and taking steps to prevent future attacks is perhaps the most important aspect of threat hunting. Plan to have a post-op meeting to discuss the hunt. In it show what’s been found and discuss what needs to be done to fix it. Then implement network policy changes to lock it in.
Sometimes it’s less about finding a threat, but rather uncovering weaknesses within the organization. A successful threat hunting campaign may uncover a misconfigured server or a policy violation that needs correcting. And as counter-intuitive as it may seem, sometimes the best threat hunting campaigns uncover nothing at all. The benefit here is you now tangibly know that the avenue investigated is not currently a risk to your organization.
Adding automation is another critical post-threat hunt step. After a threat hunt is complete, it’s important to check periodically to see if the activity you’ve uncovered returns. Convert what has been found into a process that can be run again. Set up a trap with alerting when triggered. Over time this will fold into your security playbook.
