When looking at any hunt program, data is the most important aspect of a hunt. Whether you're focused on logs, packets, endpoint, or all of the above, it's about collecting data and making sense of what you've got.
You don't have to have every type of data source to begin a hunt, but the more you have available to you, the greater your visibility, and the greater the detail of your attacker's movements.
For me, I think any SOC should be doing the following at a minimum:
Logs - The gold standard for decades, and will be the gold standard for decades to come. A lot of the breaches you read about were first discovered by someone just reviewing the logs. Please read your logs.
Full Packet Capture - Video surveillance for your network. The ability to rebuild exactly how a user, or attacker, moved through your environment, what they did and what they touched. Have several days of raw packet capture and several months of metadata. 3 days of raw at a minimum, 14 days would be great, more if you have the capacity.
Endpoint - Where the real detail comes in. For me, if I could only have one technology for threat hunting, it would be endpoint. It's where the buck stops. Have an endpoint solution in place before there are problems so that investigations can start immediately without the need for tool deployment after the alarms start going off.
Threat Intelligence - Not just lists of IP addresses, hostnames and file hashes, but real threat intelligence. Tactics, Techniques, and Procedures(TTP). We want to know how attackers choose targets and how they operate once they have. What tools are they using and what footprints do those tools leave behind? We're hunting for behavior, not just IOCs.
Some really nice to have:
Malware Analysis - When you find something sketchy, it's nice to have something that can look under the hood and see what makes it tick. If you can sandbox the potentially nasty binary, even better. Interact with your new malicious friend, and gain the kind of threat intelligence you've always wanted.
Automation/SOAR - All those incidents can get pretty overwhelming for analysts to gather data on. Give your analysts tools to collect data from all of your devices and data sources under one incident before they start their investigation. This will mean they're using their time as an investigator, not a data aggregator.
UEBA - Having a solution that baselines your environments and tells you when something looks odd is immensely valuable. After all, that's what hunting is about. A word of caution though, make sure your hunters have already looked for attackers persisting in your environment before you deploy UEBA, because if malicious behavior already exists, the solution will see it as normal for your environment, allowing the attacker to remain under the radar indefinitely.
So what are you using? What are your must haves? Who makes your favorite solutions? I'd love to hear what others see as indispensable parts of their defense.
------------------------------
Neil "Grifter" Wyler
Principal Threat Hunter, RSA
------------------------------