-
Notifications
You must be signed in to change notification settings - Fork 0
Ops 401 Class 33
-
Threat hunting is a proactive activity, this means that it is results, not alert driven.
-
It involves searching your network for signs of compromise. Looking especially for C2 communications.
The search should include all devices. (i.e. Servers, IoT devices, desktops, BYOD, networking hardware) The activity is centered around looking for IOCs, or Indicators of Compromise. The results of a threat hunt are funneled into a Compromise Assessment.
A successful threat hunt should end with reasonable certainty of the state of your network, and ideally that state is one where the network is not compromised.
Existing security tools today fall into one of two categories. They are either protection based, which represents all systems designed to keep threat actors out of the network, or they're response based, which focuses on getting threat actors off of the network once they're there. It's uncommon for the two to be tied together. This is important, how do we figure out our protections have failed and we need to go into response mode?
Log analysis has been the traditional approach for bridging the gap between these two worlds. However, multiple studies have shown that log analysis does not work all that well to connect the two worlds together. That's where threat hunting comes in. When you look at how often log analysis actually catches threat actors on the inside, it's around two and a half percent of the time, statistically speaking. That means around one out of every fifty times there's an infiltration we'll actually catch it. We can do better, and the better that we can do is threat hunting.
content cited from activecountermeasures.com
This content is relevant to the course work we're studying this week because we're talking about threat hunting and learning about the techniques employed in the process of threat hunting, as well as getting hands-on experience with the process. This talk helps to further contextualize everything we're learning about.