PROACTIVELY IDENTIFY AND CLOSE CONTROL GAPS
Threat hunting is more than finding new and unknown threats. Regular, structured threat hunting with Intel 471’s HUNTER platform helps expose control gaps, make informed decisions about security posture, and quickly pivot to hunts for high-risk adversary behaviors.
Control gap analysis assesses how well security controls perform compared to a desired state or standard. Identifying and closing control gaps is critical for a stronger security posture and proactive security. Left unresolved, these gaps may hinder the hunter’s hypothesis or fail to log the data needed to identify, detect or analyze a threat in future hunts.
Threat hunting exposes gaps in security controls when scoping data and visibility requirements during the Development phase of each hunt. Gap analysis is also performed in the Validation phase, when testing the visibility and availability of logging data related to the hypothesis of a behavioral threat hunt. The same process can be used to identify control gaps after implementing new controls.
How HUNTER Helps Perform Gap Analysis
The HUNTER platform provides hunt content and tools to help you uncover control gaps during hunts and perform continual MITRE ATT&CK technique gap analysis to keep your teams ahead of evolving adversary tactics, techniques, and procedures (TTPs).
To test the efficacy of a hunt query, every HUNTER hunt package contains a lightweight Emulation and Validation bundle, which simulates the logging activity of the adversarial behavior, in a benign fashion, within your environment. Deploying the bundle allows you to quickly validate that your controls are properly configured to identify the malicious behavior. Validating the visibility and effectiveness of monitoring allows organizations to ensure the proper controls and policies are in place to identify the related behaviors prior to executing hunt campaigns.
MITRE Gap Analysis Tool
HUNTER features a powerful interactive MITRE Gap Analysis tool that makes it simple for threat hunters to visualize MITRE ATT&CK technique identifiers, assess coverage gaps, and pivot directly to the HUNTER hunt packages for identifying malicious behaviors. This actionable visual mapping helps your teams expose gaps in your behavioral hunts across the spectrum of MITRE techniques. It also helps you quickly move to the most relevant behavioral hunts for high-risk TTPs and undetected threats your team needs to identify and remove. Organizations can then make informed decisions about what technological capabilities they should invest in to protect their network and the visibility they should prioritize to stay ahead of emerging threats.
HUNTER’s interactive MITRE ATT&CK Gap Analysis helps hunters quickly pivot to relevant behavioral hunt packages and immediately deploy hunts on their security platforms.
Key Benefits of Structured Threat Hunting with Intel 471
Identify Technology and Visibility Gaps
Use the emulation and validation to identify blind spots caused by missing tools and limitations of deployed technologies. This can include missing visibility against specific registry keys used for persistence by adversaries, informing security teams to update controls and policies based on the risk associated with the malicious behavior. Technological limitations may arise from misconfigurations or gaps in coverage based on the deployment of endpoint agents and control policies. Identifying and closing these gaps are vital for prevention, detection, and threat hunting efficiency.
Fix Policy-Based Configuration Gaps
Controls focussed on “near real time” detections often have short default retention periods. Best practice for security event logging retention recognizes threats can remain undetected for 18 months. Threat hunting helps identify configuration gaps that result in weaker prevention, EDR policies with incorrect whitelisting rules, and operating system events (registry key changes, scheduled tasks) that aren't monitored or recorded in the organization’s SIEM or data lake.
Reduce Attack Surface Exposures
Even when no bad actors are found, scoping out the requirements for a threat hunt can help an organization identify vulnerabilities and misconfigurations in operating systems, applications, and security controls. This can help the organization proactively remediate them before they are exploited.
Documented Compliance
Documenting hunt findings and remediations provides proof that your security controls are functioning as intended. This is important for organizations in regulated sectors, helping avoid costly penalties and fines.
Identify Detection Gaps and Opportunities for the SOC
Data collected from positive identifications of previously unknown malicious activity can be analyzed for attributes that can be used for new detections. In future, these detections can be used to improve traditional SOC capabilities, and no longer need threat hunting resources.
Track MITRE ATT&CK control gaps
Using HUNTER and the MITRE ATT&CK framework, organizations can visualize gaps and techniques covered by existing controls based on their risk profile. Combined with intelligence-driven threat hunting, it helps determine if a threat can be identified in an environment. Organizations can track and prioritize their gaps and coverage of techniques employed by high risk threat actors.
HUNTER Can Proactively Reduce Control Gaps
- Join our Community Edition -
Organizations building in-house threat hunting capabilities to combat advanced threats need the right tools and intelligence-driven behavioral hunt content to ensure consistent, reliable hunt processes that identify threats and visibility gaps. Intel 471’s HUNTER platform delivers an expanding library of pre-validated behavioral hunt queries designed for the SIEM, EDR, NDR, and XDR platforms your teams use supported by up-to-the-minute contextual CTI, emulation and validation bundles, mitigations, and runbooks to improve analyst productivity.
The HUNTER platform also provides the The Hunt Management Module, a centralized management tool, to coordinate hunts consistently across teams and measure hunt effectiveness with metrics that demonstrate business value and improvements in security posture.
Sign up to the HUNTER Community Edition and receive access to dozens of these hunt packages, offering:
