Threat Hunting Techniques

Introduction

Cyberthreat-hunting is a way of scouring through a network and finding sophisticated threats that could cause harm to systems and data, and which are not detectable to already existing security measures such as antiviruses and malware protection. Threat hunting requires advanced skills in cybersecurity, systems administration, programming and penetration testing.

Because advanced threats are usually able to sidestep traditional safeguards such as IDS systems and firewalls, threat hunters need to be able to replicate symptoms that they find on the network by performing similar attacks themselves and collect evidence as they scan through system logs and event files. The gap in security has been noticed, however, and there are many different vendors that create and supply software packages to help with the detection, removal and analysis of new threats.

We will take a look at some of the threat-hunting techniques that are currently employed by cybersecurity professionals and how they are used to determine specific occurrences on a network.

Threat-Hunting Background

Threat hunting means different things to different people, but it is generally defined as the search for potential threats that are not yet known.

There are no “one size fits all”-type solutions in threat hunting, mainly due to the individual circumstances of each scenario where threat hunting is employed, but also because the individuals that undertake such investigations will have their own personal preferences and techniques. It is especially important to understand the manual nature of threat hunting, and that it has only recently become an option to use advanced automated processes to try and help to detect them.

But having said that, there are some key methodologies that are used, depending on the result that is required. We will take a look at some of these different methods and give a brief outline of where one might (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/3Dz1nEZtNIk/