Hello. My name is Dustin, and welcome to monitoring network traffic. So what is thrown out?
Threat Hunting is pro, actively searching for malware or an attacker that may be hiding in your network.
Having a SIM to centralize all of your logs makes it much easier to hunt for threats in your network.
There's been a big push and security to go from, ah, reactive approach or handling security events as they occur to more of a proactive approach.
And why is this? Once an attacker gets past your basic security tools and into the network,
they're there for an average of 191 days before they're even discovered.
Think about that damage that could be done if an attacker was in your network for 191 days. That's over half a year.
Active threat outing is working towards lowering that time
detecting Attackers as soon as they're in the most security experts tend to use the 80 20 rule to assess cyber threats. That means that 80% of cyber threats air pretty unsophisticated and could be easily mitigated with your basic security hygiene patching, keeping things up to date
normal and a virus stuff like that.
But that leaves 20% of tax that are usually more advanced attacks.
These require a bit more than the standard defense to detect and respond to
getting started in routing.
So how do we hunt for these Maur Sophisticated threats? Well, first, you need to make sure your organization is ready. Threat hunting can be very successful if it's implemented correctly, but it can crash and burn if it's not.
At the very least, you should have automated blocking and monitoring tools like firewalls, endpoint detection of management along with some type of anti virus.
You'll also mean something to capture packets across the network, and it really does help to have a SIM toe organizing Corley. All this data, although it's it's not 100% necessary, but it does help a lot.
You'll also need access to some sort of threat intelligence. Otherwise, you wouldn't know it to look for. It wouldn't make sense to go hunting without a target in mind. So you need that threat intelligence to give you exactly that, whether it's out and I'll see a indicator of compromise or in Iowa am on an indicator of attack
this will get you started.
Once you've got all of your tools in place, you're going to need an experienced team, really, That ideally, knows your organization very well. Threat hunting is extremely difficult if you don't know the environment that you're in, um,
in your enterprise, maybe it's normal for user's to use O. R admits to use like teen viewer.
But in most enterprises, that's that's kind of a no, no, no, you don't want to see that running across your network. So it's good to know the environment that you're going to be hunting in.
In the last line I mentioned IOC is in, I always, um, and if you're new to security, you might not be aware of these terms. So leg aside, IOC's are indicators of compromise. Our pieces of data the indicate potentially malicious activity. These can include things like caches of malware,
I P addresses of commanding control servers or malicious domains.
I aways are indicators of attack. They're very similar toe IOC's, but primarily focus on identifying attacker activity while the attack is actually in
process. So, like IOC, something's already happened within Iowa. You're trying to look for things that may currently be happening.
IOC's can answer the question. What happened? And I always can answer what is happening and why.
Crowdstrike actually has a really great blah going over the differences between IOC's and I always so. If you'd like to know Maura, I definitely check it out. Um, you can see it at www dot crowdstrike dot com slash log sash indicators. Dash attack, dash verse,
dash indicators. Dash compromise
That's a really good. And it'll go over all the differences between the IOC's and I always
so let's go hunting.
So how do we hunt for these more sophisticated threats? It's important to remember that there is no one size fits all plan when it comes to threat hunting, every organization and every hunt really is going to be different and that every organization's gonna have different risks that are involved with that
specific organisation. And I've mentioned that it's important to be very familiar with in your environment or work with someone that is, if you're not,
it's impossible to look for threats if you don't know what's normal and what's not normal in your environment.
Before starting to hunt, you need to set some pee ers or prioritized intelligence requirements, and these are the questions that will actually drive your hunt. So what are you looking for?
Are you looking for data exfiltration attempts, Maybe a specific malware that's going around targeting organizations like yours? Maybe it's phishing attempts. You need to focus your hunt in order to be successful. You can't just go out there and
not know what you're looking for, not be organized. It's just not gonna work.
So the next few sites we're going to go over the free *** application along with some useful queries, you may be able to use
the best way to get familiar with the Simmons to use one.
I definitely wouldn't recommend going out and purchasing. They get enterprise license just to learn in your house. But Splunk actually offers a free version that I would highly recommend installing and using at home. Even if you're not using it to actively modern, it's it's good to play with it and have that skill and knowledge.
So let's go ahead and walk you through downloading and installing it, and then we'll go over a quick overview of the product, including different ways to get data in searching and alerts along with them reporting and dashboards.
So before we get into that,
I do have it downloaded on my window. Seven. Virtual machine. So that's actually downloading and installing now. So will happen there in just a little bit. But let's go over some really common and useful commands that you should be aware of. The 1st 1 is stats.
This provides statistics, which can then be grouped by optional fields.
Chart. This returns all the results in a tabular chart format, which makes things a lot easier to visualize and just a bunch of data.
De doop is something I use a lot. It removes duplicated results, which is really helpful if you've got a lot of information.
Rename allows you to rename a field or fields. Sliney can pass them into further queries.
Top displays. The most common field values, while rare display is the least common field values in a specific field,
and Splunk does offer documentation of all this on their website, which I definitely recommend checking out. They've got a quick reference guide and then also, um, common commands, and that they talk about ah stat chart and time charge.
So after this, we're gonna go and get into our Splunk demo. Like I said, you can download and install the free version of *** or even a trial of some of their other versions from *** dot com.
Ah, you do need to create an account, and with the free version, you're actually limited to AH index of 500 megabytes per day.