The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting presented at Black Hat USA 2022

by John Dwyer, Neil Koranne,

Tags: Lessons Learned Data Forensics & Incident Response


Summary : "Ask 10 infosec professionals to define threat hunting and you'll get 11 different answers." Threat hunting is one of those interesting components of cybersecurity where everyone knows they should be doing it but not everyone can fully articulate what threat hunting is. In our roles as threat hunters, we're lucky enough to be witness to, and evaluate, the hunt programs of Fortune 100 companies, state and national governments, and partners and MSPs. This experience has shown us that one person's definition of threat hunting does not necessarily equal another's.If you do an Internet search for "how to build a threat hunting program" there are plenty of results and some include great insights into what makes a threat hunting program effective. However, while resources do exist, they're often tied to a specific vendor or a particular product and the best way to hunt using it. There's useful information, but you're left trying to find a way to make the proposed processes and techniques work for your environment and not the one driven by the vendor."If you don't like the road you're walking, start paving another one." It's with that in mind that we're releasing a threat hunting framework that can help organizations start a threat hunting program as well as improve threat hunting operations for existing programs that's free and not tied to any particular technology. This framework will enable organizations to take control of building a threat hunting program by providing a clear path to operationalizing threat hunting as well as a well-defined threat hunting process to ensure threat hunters are set up for success.We've responded to far too many incidents that could have been prevented with solid threat hunting operations and we hope this project can help prevent future incidents.