#THIREurope: How Target Improved its Threat Hunting Capabilities

A threat hunting team can be better enabled when given the time and interest to focus on what it wants.

Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, David Bianco, principal engineer, cybersecurity and Cat Self, lead information security analyst, Target, explained how the threat hunting team was evolved at the company.

Bianco said that Target had the idea to develop the threat hunting team “into something more modern, as we had the same program for several years.” 

Looking at the existing program, the company asked what was working well and what was not working as well, and assessed what else could be accomplished. Self said that by working with level 2 and 1 analysts and engaging them on what they were frustrated by and what they would like to make changes on, they were able to determine three ways to improve the threat hunting efforts:

Program focus – change focus to align with what Target needed the program to do
Operational consistency – so they know how things are running
Hunt topic strategy – to gain a layer of strategy on top of hunting

“The program was created to find new incidents that had been missed,” Bianco added, saying that over time the focus of the program shifted and moved from finding incidents and ensuring visibility, to being a source of knowledge transfer between SOC analysts.

He said that human scale detection cannot be relied upon, and the “number one goal was to tweak the focus from finding incidents to figuring out how to do better at automated detection.”< ..

Support the originator by clicking the read the rest link below.