Demystifying Threat Hunting Concepts

TLDR?

  • Threat hunting doesn’t have to be complex, but it’s not for everyone
  • Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt
  • If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for
  • Hunting is a creative process that rewards those who take chances
  • Finish with something, anything actionable — so long as it provides value

Where to start?

  • What is the layout of the network? What operating systems are running in the network? What tools and services are running on the operating systems? What (or where) are the critical assets in the network? (Use questions like these to determine what is normal and abnormal in the network.)
  • What is the security operations team already looking for? What automated detection is in place and how precise is it? (Use questions like these to determine what you can already find don’t hunt for things you can already find.)
  • Which assets do threats target? What tools and tactics do threats use? How have threats behaved in the past? (Use questions like these to determine what an attacker might do in your network.)

Carrying out a hunt

Now what?

--

--

--

dale cooper is my spirit animal. opinions are mine.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josh Liburdi

Josh Liburdi

dale cooper is my spirit animal. opinions are mine.

More from Medium

Detection and hunting of Web shells

Building an Active Directory lab

OSCD: Threat Detection Sprint #1, results (EN)

Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

Fixing the Zeek Add-on for Splunk in DetectionLab