Threat-hunting techniques: Conducting the hunt - Security Boulevard

Threat-hunting techniques: Conducting the hunt

Many organizations only perform reactive threat-hunting, searching for threats once it’s obvious that their environment has been compromised. A mature threat-hunting program requires proactive hunts, searching for threats that may or may not exist. This requires a different approach to the hunt since the lack of a clear threat means that there is no clear starting point, endpoint or path through the hunt.

The threat-hunting process

Threat-hunting is a multi-stage, cyclic process. Ideally, threat hunts are proactive, so the hunter doesn’t know what they’re looking for in the absence of a known threat. As a result, the first stage of the hunt is defining the purpose of the hunt. After a goal is defined, it’s possible to collect and analyze data and cycle through the phases of a hunt until a threat is detected or disproven. If a threat is detected, remediation and response are necessary to purge the threat from the system.

Defining the hunt

When performing a threat hunt, the first thing to do is to figure out what you are hunting. The wide variety of potential threats and the sea of potential data to collect means that an undirected hunt is likely to miss things. A series of short, well-directed hunts is much more likely to be successful that a single large, undirected one.

When performing a proactive threat hunt, you don’t have a specific target that you’re hunting, which may make defining the hunt difficult. Two options for hunt definitions are data-driven and target-driven.

Data-driven threat hunting

A data-driven hunt begins by collecting a data set and then analyzing it for indications of a particular threat worth hunting. For example, a threat hunter may collect the network traffic logs for the enterprise Web server and look for items of interest. If an anomaly is detected, this (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qA5SJZSEhgY/