OP 08 February, 2020 - 01:02 PM
?
[align=start]Many organizations today are rapidly discovering Threat Hunting or Cyber Threats or so-called Threat Hunting , this Threat Hunting is the next step in the evolution of Modern SOCs but about how to begin hunting the threats that our organization is attacking. Or threatening or how confident we are in the development of our hunting abilities? And how can you determine the quality of yourself and your organization in this area ( effective cyber threat hunting )? To answer these questions, we present a model called the Cyber Threat Hunting Maturity Model, which we will explain later.[/align]
What is Threat Hunting?![[Image: 1_GdO_-eIIrU93Vf4RIAsP1A-1024x276.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fkaliboys.com%2Fwp-content%2Fuploads%2F2019%2F10%2F1_GdO_-eIIrU93Vf4RIAsP1A-1024x276.png)
Cyber Threat Hunting Maturity Model
[align=start]Before we go into the subject of the cyber-threat hunting maturity model or the so-called Cyber Threat Hunting Maturity Model - HMM, let's review the exact meaning when using the term hunting. We define hunting as "the current or recurring process or process of network search to detect and isolate advanced threats that circumvent our existing security solutions." Hence the experts who execute and implement these processes and processes by various techniques to search for attackers and intruders and their malicious activities are also called " cyber threat hunters " or so-called Cyber Threat Hunter. 3 of modern SOCs operate.[/align]
What does Hunting Maturity Model mean?
[align=start]With the definition of hunting, let's take a look at a good hunting program and see how it works. Generally, three factors should be considered when judging an organization's hunting ability: the quality and quantity of information they collect for the hunting process, the tools they provide for accessing and analyzing this information, and the analytical skills that really make it Use information and tools to find Security Incidents.[/align]
[align=start]Of course, in this factor, analytical skills are probably more important than others, since these skills allow the hunter to track data and identify it. The quality and quantity of data that an organization collects from its IT infrastructure is also an important factor in determining the level of HMM. The more information you get about the organization and the more you hunt for your threat specialist, the more they will help you find more results. The set of tools you use will shape your hunting style and each will provide different techniques for hunting threats.[/align]
[align=start]In general, the HMM threat or brief HMM model itself has 5 levels, from the lowest Level 0 to the highest Level 5 as illustrated below. This model was developed by the team of security architects and cyber threat hunters Sqrrl who focus on behavioral analysis and machine learning in organizational security, especially David J. Bianco. The existence of such a model will help organizations adapt their existing conditions to each of the levels considered in this model and adapt their current and future conditions to the organization.[/align]
In the following we will explain each of the levels of the threat maturity model or HMM.![[Image: photo_2019-10-29_17-31-07.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fkaliboys.com%2Fwp-content%2Fuploads%2F2019%2F10%2Fphoto_2019-10-29_17-31-07.jpg)
Levels of the Threat Maturity Model or HMMZero level or HMM0-Initial
[align=start]At the HMM0 level, an organization primarily focuses on automated alerting tools such as IDS and SIEM or Antivirus to detect malicious activity that may exist in the organization. They may insert feeds of signature updates or indicators of Threat Intelligence and may even create their own signatures or indicators, but these are fed directly by monitoring systems.
Organizations at the HMM0 level do not collect more information from their IT systems, so their ability to actively search for threats is very limited. Organizations at this level also do not consider threat hunting capabilities.[/align]
Level 1 or HMM1-Minimal
[align=start]An HMM1-level organization still relies on Automated Alerting to process its Incident Response or IR process, but these organizations actually collect some of the IT information from their network infrastructure. These organizations often aspire to intelligence-driven threat or intelligence-based threat detection, and they often follow the latest threat reports from a combination of Open Source and Cloud Source.[/align]
[align=start]Organizations at the HMM1 level typically collect at least a variety of information and data from their enterprise network in a centralized system such as a SIEM or a Log Management product. But some of them may actually be collecting a lot of information, so when new threats come to their attention, their analysts will be able to search through the key metrics searched for by reports and historical data to discover that they (threats) Recently viewed or not used.[/align]
Second Level or HMM2-Procedural
[align=start]If you search the internet for hunting steps, you will find great examples for this. These steps are often combined with a type of expected input data with a specific analysis technique to detect a type of malicious activity. (For example, malware detection by gathering information about programs that run automatically on hosts). Organizations at the HMM2 level are able to learn and apply the steps developed by others on a regular basis, although they may also make minor changes, but they are still unable to create new steps entirely for themselves.
Since many of the commonly available methods rely on some kind of least-frequency analysis, HMM2-level organizations typically collect a large amount of information from their enterprise infrastructure.[/align]
Level 3 or Innovative HMM3
[align=start]Organizations at HMM3 level have at least a few cyber-threat hunter or hunter in their collection who know different types of information analysis techniques and are able to apply them to specific malicious activities. Instead of relying on steps developed by others (as I explained in HMM2), these organizations usually create and publish these steps themselves. Analytical skills may be as simple as basic statistics or include more advanced topics such as Linked data analysis, data visualization, or machine learning, or Machine Learning. The key to this step is for analysts to apply these techniques to create repeatable procedures that are documented and executed on a specific threat.
Organizations at the HMM3 level can be quite effective in seeking and combating threat actors. However, as the number of hunting processes that they develop over time, they may face scalability problems and try to do them all in a reasonable schedule unless they have enough existing analysts to coordinate. To increase more.[/align]
Level 4 or HMM4-Leading
[align=start]An HMM4 level organization is basically the same as an HMM3 level organization with one major difference: Automation. In HMM4, each hunt process and process is successfully operationalized and turned into automatic tracking. This allows analysts to relinquish the burden of implementing the same processes, allowing them to focus instead on improving existing trends or creating new processes.
Organizations at HMM4 level are highly effective in resisting enemy activity (targeting attackers and intruders, etc.). The high level of process automation allows these organizations to focus more effectively on creating a stream of hunting processes, thereby enhancing their detection program.[/align]
[align=start]Many organizations today are rapidly discovering Threat Hunting or Cyber Threats or so-called Threat Hunting , this Threat Hunting is the next step in the evolution of Modern SOCs but about how to begin hunting the threats that our organization is attacking. Or threatening or how confident we are in the development of our hunting abilities? And how can you determine the quality of yourself and your organization in this area ( effective cyber threat hunting )? To answer these questions, we present a model called the Cyber Threat Hunting Maturity Model, which we will explain later.[/align]
What is Threat Hunting?
![[Image: 1_GdO_-eIIrU93Vf4RIAsP1A-1024x276.png]](https://kaliboys.com/wp-content/uploads/2019/10/1_GdO_-eIIrU93Vf4RIAsP1A.png)
Cyber Threat Hunting Maturity Model[align=start]Before we go into the subject of the cyber-threat hunting maturity model or the so-called Cyber Threat Hunting Maturity Model - HMM, let's review the exact meaning when using the term hunting. We define hunting as "the current or recurring process or process of network search to detect and isolate advanced threats that circumvent our existing security solutions." Hence the experts who execute and implement these processes and processes by various techniques to search for attackers and intruders and their malicious activities are also called " cyber threat hunters " or so-called Cyber Threat Hunter. 3 of modern SOCs operate.[/align]
What does Hunting Maturity Model mean?
[align=start]With the definition of hunting, let's take a look at a good hunting program and see how it works. Generally, three factors should be considered when judging an organization's hunting ability: the quality and quantity of information they collect for the hunting process, the tools they provide for accessing and analyzing this information, and the analytical skills that really make it Use information and tools to find Security Incidents.[/align]
[align=start]Of course, in this factor, analytical skills are probably more important than others, since these skills allow the hunter to track data and identify it. The quality and quantity of data that an organization collects from its IT infrastructure is also an important factor in determining the level of HMM. The more information you get about the organization and the more you hunt for your threat specialist, the more they will help you find more results. The set of tools you use will shape your hunting style and each will provide different techniques for hunting threats.[/align]
[align=start]In general, the HMM threat or brief HMM model itself has 5 levels, from the lowest Level 0 to the highest Level 5 as illustrated below. This model was developed by the team of security architects and cyber threat hunters Sqrrl who focus on behavioral analysis and machine learning in organizational security, especially David J. Bianco. The existence of such a model will help organizations adapt their existing conditions to each of the levels considered in this model and adapt their current and future conditions to the organization.[/align]
In the following we will explain each of the levels of the threat maturity model or HMM.
![[Image: photo_2019-10-29_17-31-07.jpg]](https://kaliboys.com/wp-content/uploads/2019/10/photo_2019-10-29_17-31-07.jpg)
Levels of the Threat Maturity Model or HMMZero level or HMM0-Initial[align=start]At the HMM0 level, an organization primarily focuses on automated alerting tools such as IDS and SIEM or Antivirus to detect malicious activity that may exist in the organization. They may insert feeds of signature updates or indicators of Threat Intelligence and may even create their own signatures or indicators, but these are fed directly by monitoring systems.
Organizations at the HMM0 level do not collect more information from their IT systems, so their ability to actively search for threats is very limited. Organizations at this level also do not consider threat hunting capabilities.[/align]
Level 1 or HMM1-Minimal
[align=start]An HMM1-level organization still relies on Automated Alerting to process its Incident Response or IR process, but these organizations actually collect some of the IT information from their network infrastructure. These organizations often aspire to intelligence-driven threat or intelligence-based threat detection, and they often follow the latest threat reports from a combination of Open Source and Cloud Source.[/align]
[align=start]Organizations at the HMM1 level typically collect at least a variety of information and data from their enterprise network in a centralized system such as a SIEM or a Log Management product. But some of them may actually be collecting a lot of information, so when new threats come to their attention, their analysts will be able to search through the key metrics searched for by reports and historical data to discover that they (threats) Recently viewed or not used.[/align]
Second Level or HMM2-Procedural
[align=start]If you search the internet for hunting steps, you will find great examples for this. These steps are often combined with a type of expected input data with a specific analysis technique to detect a type of malicious activity. (For example, malware detection by gathering information about programs that run automatically on hosts). Organizations at the HMM2 level are able to learn and apply the steps developed by others on a regular basis, although they may also make minor changes, but they are still unable to create new steps entirely for themselves.
Since many of the commonly available methods rely on some kind of least-frequency analysis, HMM2-level organizations typically collect a large amount of information from their enterprise infrastructure.[/align]
Level 3 or Innovative HMM3
[align=start]Organizations at HMM3 level have at least a few cyber-threat hunter or hunter in their collection who know different types of information analysis techniques and are able to apply them to specific malicious activities. Instead of relying on steps developed by others (as I explained in HMM2), these organizations usually create and publish these steps themselves. Analytical skills may be as simple as basic statistics or include more advanced topics such as Linked data analysis, data visualization, or machine learning, or Machine Learning. The key to this step is for analysts to apply these techniques to create repeatable procedures that are documented and executed on a specific threat.
Organizations at the HMM3 level can be quite effective in seeking and combating threat actors. However, as the number of hunting processes that they develop over time, they may face scalability problems and try to do them all in a reasonable schedule unless they have enough existing analysts to coordinate. To increase more.[/align]
Level 4 or HMM4-Leading
[align=start]An HMM4 level organization is basically the same as an HMM3 level organization with one major difference: Automation. In HMM4, each hunt process and process is successfully operationalized and turned into automatic tracking. This allows analysts to relinquish the burden of implementing the same processes, allowing them to focus instead on improving existing trends or creating new processes.
Organizations at HMM4 level are highly effective in resisting enemy activity (targeting attackers and intruders, etc.). The high level of process automation allows these organizations to focus more effectively on creating a stream of hunting processes, thereby enhancing their detection program.[/align]
![[Image: giphy.gif?cid=790b7611d129f058fe9adc1639...y.gif&ct=g]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia4.giphy.com%2Fmedia%2FreKXjF0DqTAKvPTsXl%2Fgiphy.gif%3Fcid%3D790b7611d129f058fe9adc1639880af69124fc22f7735bf2%26amp%3Brid%3Dgiphy.gif%26amp%3Bct%3Dg)
![[Image: 2H8l6eR.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fiili.io%2F2H8l6eR.gif)