Hunting Maturity Model

Basic Requirements

Do you have automated security alerting . Do you already have a dedicated incident
(SIEM, IDS, etc)? detection or response team(s)?

No
No

Acquire an automated detection system (SIEM, IDS, etc.)

Create a centralized logging system and start collecting logs
(e.g. web proxy, firewall, switches,routers,host endpoint
alerts, event logs, AD logs, etc)
Establish a specialized incident response team (even if it is
only a single analyst) which can
Perform alert resolution and incident investigation
Acquire external signature feeds and intel feeds that can
compliment your automated detection
Yes Yes

HM0 Minimal Capability

Do you routinely collect security data

from all three data domains (network, Do you utilize threat intelligence to drive Do analysts in your SOC leverage Indicators
host, & application logs) into a centralized detection (open or closed source)? of Compromise (IoCs) from reports?
repository?

No
No
No

Yes
Ensure regular collection of at least some security data, at least one
sources from each data domain (network, host and application)
Make sure analysts should practice some basic hunting, such as
searching for key indicators to find threats in specific datasets

HM1
Yes Yes

Procedural Approach

Do you have designated hunters in your

Do analysts in your SOC follow published
. Do analysts in your SOC hunt on a regular SOC or a set rotation of analysts who hunt
hunting procedures to find new security
recurring schedule: daily, weekly, etc? so that there is always some proactive
incidents?
detection effort being carried out?

No
No
No

Find and identify published hunting procedures you want to carry out
on your network •
Yes
Increase the scale of your data collection to include input data required
to carry out published
hunting procedures that you want to pursue
Develop a schedule for applying these procedures on a regular basis

HM2
Yes Yes
Innovative Practices

Do you utilize a specialized threat hunting

Are your hunters utilizing a variety of data Do your hunters develop or publish original Are you collecting security data tailored
platform to facilitate streamlined hunting
analysis techniques and applying them to hunting procedures adapted from hunts to your environment and your hunting
processes and collaboration in your hunt
identify malicious activity? they carry out in your environment? practices?
team?

No No
No No

Create a hunt team that includes both security and data analysis expertise, which can understand
and apply a variety of different types of data analysis and hunting techniques
Begin crafting new hunting procedures based on the security concerns of your organization and
the threats that you have seen in the past

Yes

Yes

HM3
Yes
Leading Programs
Yes

Are you automating successful hunting Do you employ data science techniques to Do you have a methodology for scaling your
procedures/using the outputs of your hunts support your hunting procedures and help
ability to carry out the hunting procedures
to improve alerting or automated detection isolate anomalies in large quantities of you are continually creating?
efforts? data?

No
No
No

Create a process for fully automating the successful hunting procedures

you develop. This will ensure that your hunters are not wasting time by Yes
repeating hunts, but always finding new things to hunt for

HM4
Yes Yes

Mature Hunting Project