Difference between revisions of "Threat Hunting"

From Socology.org - The Study of Security Operations
Jump to: navigation, search
(Objective)
(Process)
Line 12: Line 12:
  
 
*Known IOC Hunting
 
*Known IOC Hunting
 +
:"''Hunters should be careful about relying too much on IOCs. In the industry today there are many threat data feeds that lack the context to make them true indicators.''" (Lee and Bianco, 2016)
 
*Hypothesis Method[https://resources.infosecinstitute.com/category/enterprise/threat-hunting/threat-hunting-process/threat-hunting-methodologies/][https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172]
 
*Hypothesis Method[https://resources.infosecinstitute.com/category/enterprise/threat-hunting/threat-hunting-process/threat-hunting-methodologies/][https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172]
 
*Exploratory Data Science[https://towardsdatascience.com/data-science-for-startups-exploratory-data-analysis-70ac1815ddec][https://www.coursera.org/learn/exploratory-data-analysis][https://towardsdatascience.com/exploratory-data-analysis-8fc1cb20fd15][https://medium.com/@InDataLabs/why-start-a-data-science-project-with-exploratory-data-analysis-f90c0efcbe49]
 
*Exploratory Data Science[https://towardsdatascience.com/data-science-for-startups-exploratory-data-analysis-70ac1815ddec][https://www.coursera.org/learn/exploratory-data-analysis][https://towardsdatascience.com/exploratory-data-analysis-8fc1cb20fd15][https://medium.com/@InDataLabs/why-start-a-data-science-project-with-exploratory-data-analysis-f90c0efcbe49]

Revision as of 04:44, 29 October 2018

This section is under development

Objective

"Threat hunting is a proactive and iterative approach to detecting threats." (Lee and Bianco, 2016)

The objective of Threat Hunting[1] is a proactive search of systems for adversaries and compromise. Whereas Continuous Monitoring is a reactive service, Threat Hunting strives to actively search logs, controls, countermeasures and activity to identify signs of compromise before they are detected.

Hunting activity is related to other services as it feeds into Content Engineering, Continuous Monitoring, Log Management and Compliance and Risk Management.

Hunting also receives inputs from Threat Intelligence, Enterprise Intelligence, Content Engineering and Risk Management.

Process

  • Known IOC Hunting
"Hunters should be careful about relying too much on IOCs. In the industry today there are many threat data feeds that lack the context to make them true indicators." (Lee and Bianco, 2016)

Tooling

  • SIEM, log management or other log collection and analysis tools
  • Data analytics tools

Ticketing

Reporting

Staffing

Budget

Communications

Documentation

Lessons Learned | Pain Points

Citations

Robert M. Lee and David Bianco. 2016. Generating Hypotheses for Successful Threat Hunting. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172