Professional Documents
Culture Documents
Workshop On Threat Hunting: The Mindset of A Cyber Threat Hunter
Workshop On Threat Hunting: The Mindset of A Cyber Threat Hunter
Threat Hunting
THE MINDSET OF A CYBER THREAT HUNTER
A Continuously Learning
BIG DATA
CORRELATED and Adapting Cyber
RULES SIEM
ANALYTICS ACTIVE IOCs
ENGINE THREATS Security Operations
Center
T
YS
N AL
A
HOW IT WORKS
1. Threat intelligence feeds - start with open source / think strategic paid feeds -
Symantec, McAfee, TeamCymru, FireEye iSight, CriticalStack, SeQtree (INDIA)
2. Lookup sources - ThreatCrowd, VirusTotal, PDNS, WHOIS, GeoIntel,
DomainTools, Intel 471, CrowdStrike, PhishMe, RecordedFuture
3. Access to threat intelligence platforms viz Alienvault OTX, ThreatConnect,
Anomali, CertIn, Regional / Sectoral Certs
4. Tracking of developing standards - CAPEC, ATTACK, Threat Hunters Playbook
5. Analytics platforms that integrate viz Splunk, ELK, DNIF (INDIA)
9
We found our data being sold
THE SELLER PROMISED MORE RECORDS
15
SOAR Capabilities
THROUGH AN EXAMPLE
1. 2 lines on analytics
2. How the bot functions - a part of it
3. Real life scenario
4. Technique of detection (now called hunting)
5. Why is it impossible to do without analytics
6. Repeat step 2 to 5, 5 times
write this line in code within 12 chars
SIEM
MF ArcSight, IBM Qradar,
Intel NitroSecurity
BDA
Splunk, ELK, DNIF
21
DELIVERY -
An Attractive Phishing Target PHISHING -
FOLLOWING EMAILS, DISCOVER CAMPAIGNS
27
Cyber Threat Hunting
The what and the why
I have one confirmed match - yay, where did this come from
Look for failures - share, auth etc -- X minus 60 days
14 queries later...
Bingo - it was spoofed email from the team lead - clicked… infected
Now - let’s figure out to automate detection for this -- process update
TOOLS RESOURCES
2.47s Avg Response time per query 3 - 5hrs of hunting per week
Equals = Lost thought for the analyst Handoff meetings with the SOC