Threat Hunting-a Beginner’s Guide

March 7, 2019 | Views: 5155

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Threat Hunting……, it is the one word we all have heard various times recently. The subject has been under constant scrutiny for a while now, but do we understand it? Moreover, since it has been viewed very differently from different viewpoints of various security professionals, To start with lets get to the goal of it. The ultimate goal is to provide a binary answer to the question,”Do I have compromised system on my network?”

To understand about compromised system, there is a wonderful saying by Mr. Jhon Strands, i.e. ,“Beaconing + Blacklisting=OMG! We are in trouble”. This means Any system that makes a continuous connection to a blacklisted IP is a compromised system.

In simple words, threat hunting is the black box that takes input and gives output. What are all the things it encompasses? Well, we need some way to collect info and figure out whether we are already compromised or not. We also need to understand that those outputs may be a formalized incident handling process put in place, or a team that does forensic investigation of subject, or it might be just a simple policy that says,“Hey, when a system gets compromised throw it away and put a new system on the wire.” Even though that may sound silly but that is a possible answer for some organization.

The process of threat hunting spans throughout various Infosec teams. Lets just take an example of it, ‘I just found a system which is beaconing to unknown/blacklisted IP?’ Now to reach that point, we need a lot of work before and after identifying the system. We require complete scanning of the system, leading to putting in incident response plans in place and after that we turn to forensics mode to get to deeper end of the cause. Then We need to put down preventive measures to prevent it further.

Then the next Question that arises is,”We have a lot of tools that give us a lot of data, so what is different in threat hunting that makes it difficult?” In a typical tool the process happens like this, ‘the tools will collect a lot(I mean tons) of data’ because how wonderful it is to see my whole network on a single dashboard, ‘it will give data to the management team’ and then ‘the team will educate itself and find threats out of it’. And this last part is the distinguishing element of the threat hunting process, in comparison to other mainstream tools.

So going further, What are the basic frameworks that could to be used as the helping hand for the threat hunting process? One of the most common framework that is taken into consideration when talking about the tool is- MITRE ATT&CK framework. It is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target.

In the end What we need to understand is…., The process of threat hunting may seems to be a great process, and also a mandatory for each organization, but when thinking of threat hunting process not every organization can perform this. Threat hunting teams need threat intelligence plus a network person, an endpoint person, a malware analyzer, and a scalable bunch of tools. Thus, it takes a certain size and sophistication level for an organization to take its full advantage.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?