Share and earn Cybytes
Facebook Twitter LinkedIn Email

by Bricata

What is network threat hunting? Threat hunting is looking for indications of malicious activities that aren’t being detected by static detection.

That’s according to Tim Crothers who is perhaps, from our perspective, among the most prominent experts on the concept of threat hunting. He’s been in security for a long time, has built and led large security teams, penned books on the topic, and routinely makes the rounds on the speaking circuit.

On a recent webinar titled Introduction to Network Threat Hunting, he gave a presentation and a demonstration of how to get started with threat hunting with the Bricata platform. The webinar was recorded and is still available for viewing.

Here are our notes summarizing his session.

What is network threat hunting?

Most organizations have some sort of static detection in use. Often this is a combination of signature detection and rules-based detection tools aimed at detecting activity known to be malicious.

While these are necessary and catch much of the basic malware, sophisticated threat actors are aware of these measures – they understand how these tools work and are good at evading them. As such, hunting becomes a method to find an activity that isn’t being detected.

Why conduct threat hunting?

In his session, Mr. Crothers identified several reasons – the benefits – for conducting threat hunting. Those reasons are:

1) To find unknown malicious activity.

This is the obvious benefit and perhaps what most people think of as the main reason. Of course, security requires a balance, we can’t forgo the fundamentals, but a good threat hunting program is one of the ways to get ahead of the reactive cycle of firefighting.

2) Threat hunting can improve static detection.

Most environments are unique and are prone to have anomalies that may not be malicious. A misconfigured server could look abnormal, or an application may perform in an odd way, for example. The virtue of threat hunting in this respect is two-fold: you learn about your environment, and if you understand your environment, you can begin to think of how an adversary might navigate it undetected.

He emphasized that successful threat hunters really understand the environment and learn how adversaries act. A stronger grasp of these two aspects will not only make you a better threat hunter, but it will also help you improve your overall defenses including static detection.

3) Threat hunting can improve professional development.

It’s no secret there’s a shortage of cybersecurity talent and one way to address this in part is by refocusing on professional development. Threat hunting exercises are a great opportunity to team level 1 and level 2 analysts with level 3 analysts. In the course of learning about the environment and thinking like an adversary, they’ll also gain from the personalized mentoring in a small group format.

How do you get started with threat hunting?

The biggest mistake organizations make in getting started with threat hunting is “trying to boil the ocean” and try to get into a platform and just “look for weird stuff.” He recommends setting clearer goals and he identified a few key steps:

To read the entire post, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?