Threat Hunting Fundamentals Course Introduction
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome to MITRE attack defenders threat hunting course.
00:00
I'm Steve Luke, cybersecurity engineer at
00:00
MITRE and co-author of
00:00
MITRE's TTP based hunt methodology.
00:00
I'm excited to introduce this course and teach
00:00
it along with some other members of MITRE's team.
00:00
In this course, we'll learn a six-step methodology for
00:00
applying MITRE attack to
00:00
threat hunting, let's get started.
00:00
We'll begin with an introduction to our methodology and
00:00
how it compares with and complements other approaches.
00:00
We'll discuss some context and
00:00
terms that will be important to understand
00:00
throughout the course and we'll provide
00:00
a brief overview of each step of this method.
00:00
By the end of this module,
00:00
you'll be ready to both earn
00:00
your first threat hunting badge and proceed to Module 2.
00:00
Before we dive in,
00:00
let's define what we mean by
00:00
threat hunting and detection engineering.
00:00
There are several different interpretations for
00:00
the phrase threat hunting used in the community.
00:00
For this course, we'll define it as
00:00
the proactive detection and
00:00
investigation of malicious activity within a network.
00:00
Proactive here means a targeted or continuous search for
00:00
malicious activity even without
00:00
any other indication that there has been an attack.
00:00
It is an analyst-driven,
00:00
creative process that leverages threat intelligence.
00:00
It is different from traditional incident response,
00:00
and is more than just running a single query in a seam.
00:00
Like all MAD courses,
00:00
this course is focused on
00:00
the application of attack to threat hunting,
00:00
which has a large focus on the development of analytics,
00:00
which is often called detection engineering,
00:00
and is a supporting element to threat hunting.
00:00
Some organizations separate
00:00
these activities into different teams.
00:00
In other organizations, they may both be done
00:00
by a single team or even a single person.
00:00
The primary purpose of threat hunting is to detect
00:00
previously undetected malicious activity
00:00
to reduce risk to the business or mission.
00:00
In addition, threat hunting
00:00
can provide several other benefits,
00:00
including a deeper understanding of
00:00
the environment and current defensive posture.
00:00
The discovery of misconfigurations and policy violations,
00:00
and improve skills for the defensive team.
00:00
Even on days when you don't catch a malicious actor,
00:00
threat hunting can provide a lot of value.
00:00
This is the diagram you'll see often in this course,
00:00
it's summarizes the six steps of
00:00
our methodology and acts as a visual map to help us
00:00
conceptualize the overall process and
00:00
understand where we are
00:00
within it relative to the other steps.
00:00
We mapped our process onto
00:00
a V shape to accentuate the fact that is
00:00
a sequence that starts by
00:00
characterizing malicious activity or behavior,
00:00
develops hypotheses and abstract analytics,
00:00
moves next into data collection requirements,
00:00
and then follows the opposite order
00:00
as those concepts are executed.
00:00
Starting with collecting data,
00:00
then implementing and improving analytics,
00:00
and finally, detecting the malicious activity
00:00
that was characterized in the first step.
00:00
There are three pairs of steps to this process,
00:00
on each side of the V separated by
00:00
a pivot as we move from characterization into execution.
00:00
This diagram shows the process in
00:00
a very sequential and linear way
00:00
but in practice, it's iterative.
00:00
Although you'll generally follow
00:00
these steps in this order,
00:00
you'll frequently find value in iterating
00:00
within and between steps as you learn more.
00:00
We've structured this course sequentially
00:00
according to the order of the steps in this V diagram.
00:00
Each step will correspond to
00:00
a module composed of multiple lessons.
00:00
In this module, we'll provide
00:00
background information and an overview
00:00
of the entire methodology.
00:00
Now, the title of this course is attack threat hunting,
00:00
and threat hunting is the focus of Module 6.
00:00
Threat hunters will often follow similar steps
00:00
to what we've outlined in this overall methodology,
00:00
creating hypotheses, determining data requirements,
00:00
identifying data gaps, and then
00:00
implementing and testing their ideas.
00:00
Much of the content in Modules 2 through five is often
00:00
considered to belong to
00:00
the complimentary discipline of detection engineering.
00:00
For our purposes in applying attack to this domain,
00:00
we refer to these collective
00:00
activities as threat hunting.
00:00
Here's how the modules of this course
00:00
align with the steps in this methodology.
00:00
Since you've already learned about attack from
00:00
MAD's attack fundamentals course that will
00:00
serve to explain
00:00
the malicious activity model of our first step.
00:00
After this overview module,
00:00
Module 2 we'll skip over
00:00
the step of developing and
00:00
updating a malicious activity model,
00:00
which for us is attack and proceed straight
00:00
to the development of hypotheses and abstract analytics.
00:00
In this threat hunting course,
00:00
you'll learn the method of
00:00
applying attack to threat hunting
00:00
by defining adversarial behaviors and
00:00
how to develop and refine analytics and data
00:00
collection strategies to
00:00
effectively detect those behaviors.
00:00
In this first module,
00:00
we'll go over this methodology.
00:00
By the end of this fundamentals module,
00:00
you'll be able to define the steps of
00:00
this methodology and contrast
00:00
this approach with other
00:00
complimentary hunting approaches.
00:00
Before we proceed further,
00:00
please ensure they have some familiarity with
00:00
Windows and analytic platform like Splunk or ELK,
00:00
fundamental knowledge of IP network protocols and attack.
00:00
Thanks for joining me in this lesson.
00:00
Much of this course is based on
00:00
a paper that MITRE wrote called TTP based hunting.
00:00
That original paper contains many references,
00:00
in fact, far too many to list here.
00:00
But we wanted to call out
00:00
those that we use more directly in
00:00
refining the material for this course here on this slide.
00:00
This concludes the introduction
00:00
of threat hunting fundamentals.
00:00
In summary, we're teaching a six-step method
00:00
to utilize knowledge of
00:00
adversary TTPs in your threat hunting.
00:00
The first step is covered in MITRE Attack
00:00
Defenders Attack Fundamentals course and
00:00
the other five steps are covered in modules
00:00
of this course. Thanks for watching.
Up Next
Module 1 Knowledge Check
5m
