Threat hunting is still very much an emerging practice, and it certainly feels like the new hotness. A reported 93% of organizations believe that threat hunting should be a top security initiative to reduce risk and help detect incidents earlier. So why aren't more organizations threat hunting? It's likely due to some widespread notions that are holding them back.
Well, yes: hiring is hard; four of six organizations report that hiring threat hunters will become more difficult post-COVID. So it's no wonder that many security organizations are kicking the proverbial can down the road. Here's the thing - to get started with threat hunting you don't need a team of unicorns (i.e., someone with 10+ years of security experience, a slew of certifications, deep skills across multiple tech stacks). Of course, if you have even one of these diamonds-in-the-rough, you're well on your way, but the lack of OG's should not stop organizations from getting started.
Anyone with basic security knowledge, time, and motivation can learn how to do some basic threat hunting.There are tons of free training resources available (try Cybrary), open source tools (good lists here and here), and active support communities (BlueTeamSec on Reddit or FIRST to name just a couple). Initiative and potential can make up for inexperience.
According to IBM's Beginner's Guide To Threat Hunting, before you get started you'll need the logs from your firewalls, antivirus and endpoint management applications, and network packet capture devices, all ingested into a security information and event management (SIEM) system, supplemented with threat intelligence resources.
Do not let overwhelming demands from enterprise software vendors paralyze your initiatives! You don't need to purchase all of those products to get started with threat hunting. In fact, you can easily get started with just one free tool, like Zeek. Zeek is a powerful and popular open source network security monitoring and analysis application. It also has a great support community.
Plenty of folks get started with analyzing Zeek logs via the command line, or in spreadsheets like Excel or Google Sheets, along with open source threat feeds (like these). They soon realize that spreadsheet capabilities are fairly limited when working with these giant network traffic datasets. Gigasheet offers an intuitive and more scalable way to analyze logs (including those from Zeek). In addition, Gigasheet integrates third-party threat intelligence automatically.
IBM's Guide also says teams should have a "mature security setup," that you'll "certainly need some computer assistance" and that "you will also need a team with enough people to manage the technology and data.”
Obviously, a mature setup and a big support team will undoubtedly help. But in a new field like threat hunting, even the most mature security organizations will struggle to log, analyze, and correlate every piece of relevant data. This is a specialty that is being invented and iterated on every week.
At Gigasheet, we believe it can be much simpler to get started, which is why we're building applications that lower barriers for organizations to do just that. Threat hunting just doesn't need to be associated with a massive IT support effort or a data science infrastructure project. Most security practitioners can start threat hunting by dedicating just a few hours per week to training and investigations. By leveraging cloud-based technology, spreadsheet-like interfaces, and big data-capable backend architecture, Gigasheet makes it easy to get started immediately.
If you'd like to get started with threat hunting, give Gigasheet a try! Just drop in a log file or csv, and you're on your way.