Threat Hunting Metrics: The Good Metrics to Focus On
The “Good” Metrics
When it comes to Threat Hunting, there are many things that can come to mind when it comes to metrics.
I’m sure there are justifications for tracking each of them, but in this post we’re going to attempt to nail it down to the most crucial. Focusing on the positive ones.
I’ve found the most valuable metrics are those which help you understand the efficiency of your operations. Think of this as the output for your hunts. They should be actionable. You can apply this principle to Security metrics in general.
Although finding previously undetected threats is the ultimate goal, there are plenty of other benefits to threat hunting and it starts with tracking it.
Let’s take a look at some of these.
Before we look at each of these, this post won’t go over what is Threat Hunting and assumes that knowledge. For more on that, start here
Metrics that don’t rely on finding new threats:
We have to start with data. At the end of the day, if you don’t have the right data, the rest of the job is tough/impossible to do.
Data Source Coverage: The complete and comprehensive data collected from all sources within an organization’s environment. In other words, having the log sources, you need for potential investigations.
Threat hunting teams can use this data coverage metric to aid in the following:
Reduced Blind Spots
Improved Response Times
Policy Violations
Completed Hunts
Let’s take a closer look at each of these.
Reduced blind spots
Questions to ask
Do we have all the necessary telemetry to perform hunting and create detections if needed?
What would we miss as is with our current telemetry?
Have we accepted this risk?
This one is related to the above point of having adequate data coverage. Whatever blind spots you currently have, note these to have a future plan around them.
Improved Response Times
Questions to ask
Are there any ingestion delays that would slow down response time?
How are we tracking this?
The age old MTTR? Or something else?
Policy Violations
Look, not every hunt is going to end up in a new detection. And that’s okay.
A lot of times however, threat hunting could result in finding employees using a tool they shouldn’t be, a misuse of company resources, or some bad practice uncovered. These would go in the category of policy violations. And this would result in a win for you and your team.
Completed Hunts
This is the total threat hunts completed within a set timeframe. This is the input to the 3 previously mentioned outputs. Although, there are good arguments to not track this one and incentivize more qualitative approaches, I left this one in here as it can be very beneficial in the beginning of a program.
Ensure you’re using something to map your hunts, such as MITRE or the Cyber Kill Chain. One of the earliest ways I saw how to track this was with this Hunt Tracker. We don’t have to overcomplicate this one.
Metrics that rely on finding new threats:
Newly Discovered Threats
New Detections Submitted
Mean Time To Detection
Now let’s talk about each of these in more detail.
Newly Discovered Threats
This is the number of threats uncovered during hunts, which need additional analysis to determine their level of impact.
You can argue whether this is the ultimate goal of Threat Hunting.
Take as a data point this graphic from a previous post on Threat Hunting vs Detection Engineering.
New Detections Submitted
The number of threats detected by the threat hunting efforts that weren’t previously known or detected by existing tools.
This metric can show the direct value added by threat hunting to the Security program. It definitely can be the most satisfying for the practitioner.
In addition to new detections, this can also be improvements and tuning that result from what was learned in the threat hunting. This would mean reducing false positive rates for existing detection alerts. A win win for your team.
Mean Time to Detection (MTTD)
This is the metric that usually comes up when it comes to Detection and Response. This is the time it takes from when an attack occurs to when it’s detected.
The goal is to reduce the time to detection and investigation, which leads into Improved Response Times, or Mean Time to Resolution (MTTR). i.e. if your intelligence-driven hunting can aid in reducing the time you detect threats.
This is not one of my favorite metrics, as it can be misleading when looking at it from a glance but doesn’t actually tell the full story. I wouldn’t call this a bad metric, just one that could be taken out of context.
Conclusion
Although you can have other metrics that work better for your program and for your company, the thinking is to track your Threat Hunting. This will ensure not going down unnecessary rabbit holes and that the valuable output is there.
If you are in the process of building up a Threat Hunting function, or thinking of starting a hunting program, then you should consider early on in the program’s life to define its success criteria and metrics. This will help guide your team on what success looks like.