SBN

Threat Hunting: Data Collection and Analysis

Introduction

Threat hunting requires proactively looking within the network and searching for anomalies that might indicate a breach. The vast amount of data that needs to be collected and analyzed means that it is a painstaking and time-consuming process, and the speed of this process can hamper its effectiveness. However, that can be highly improved by the use of proper data collection and analysis methods. In this article, we’ll discuss the various data collection and analysis methods that can be used by threat hunters and analysts during a hunt.

What Kind of Data Are We Collecting?

As a threat hunter, you require adequate data in order to perform your hunt. Without the right data, you cannot hunt. Let’s take a look at what qualifies as the right data used for hunting.

It’s important to also note that determining the right data depends on what you will be looking for during your hunt. Generally, data can be classified into three sections:

1. Endpoint Data

Endpoint data comes from endpoint devices within the network. These devices can, for instance, be end-user devices such as mobile phones, laptops and desktop PCs, but may also cover hardware such as servers (like in a data center). Definitions of what an endpoint actually is will significantly vary, but for the most part, it is what we have described above.

You will be interested in collecting the following data from within endpoints:

  • Process execution metadata: This data will contain information on the different processes running on hosts (endpoints). The most sought-after metadata will include command-line commands and arguments, and process file names and IDs.
  • Registry access data: This data will be related to registry objects, including key and value metadata, on Windows-based endpoints.
  • File data: This data will, for example, be dates when files on the host (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qtI7eK0ObvE/