Posts

Threat Hunting Basics - Part 7

Threat hunting Report The below Metrics should be included in the Threat hunting report but not limited to it. Hypothesis Attack Vector Description Scope Data Sources Analysis Techniques Findings Security Recommendations Timestamps Conclusion References Let's understand what should be included in the above pointers :  Hypothesis Threat hunting is primarily hypothesis-driven. This proposed explanation is then used as a starting point for further investigation.  Attack Vector Attack vectors are the ways an attacker can breach sensitive data or compromise an organization. Cyber kill chain Step   Attack Type & TTP ID Attack Description Description Explanation of Hypothesis and malicious observed behavior Scope Defining the scope and hypotheses of the engagement is the initial step of a Proactive Threat Hunting activity. We will work alongside the blue team to define the scope, whether it is organization-wide, limited scope or to address a specifically targeted threat. Depending on

Threat Hunting Basics - Part 6

How to be a good Threat hunter  Cyber security threats are constantly evolving and can be difficult to detect, which is why the role of a threat hunter is so important. In this blog post, we'll explore the qualities and skills required for an effective threat hunter, and how they can best use their abilities to protect organizations from cyber attacks. "Technical expertise can be learned and trained. Personality traits and mindset are more difficult to shape," Positive personality traits Positive personality traits are essential for threat hunters because they set the tone for how the hunter will approach their work. A good threat hunter is someone who is patient, methodical, and detail-oriented. They are also someone who is able to think outside the box and come up with creative solutions to problems. Finally, a good threat hunter must be able to work well under pressure and maintain a cool head in stressful situations. Analytical Skills Analytical skills are critica

Threat Hunting Basics - Part 5

Image
 Threat Hunting Methodology  A threat hunter is a security analyst who uses manual or machine-assisted techniques to detect, isolate, and neutralize APTs that are not detected by automated security tools.  Threat hunters assume that adversaries are already in the system , and they initiate an investigation to find unusual behavior that may indicate the presence of malicious activity. Four  Methods involved in the hunting methodology are as follows:  Intel Based or Unstructured Hunting  The Intel-based hunting approach involves the reactive hunt technique associated with new threats. These IOCs become a trigger point for the threat hunter to uncover the malicious activity going on.  You can check out the previous blog which shows how Threat intelligence can be useful for the threat hunting approach. Behavior-based or Structured Hunting The most proactive threat-hunting technique is an investigation using indicators of attack or Indicators of behavior.  This technique commonly aligns wit

Threat Hunting Basics - Part 4

Image
 continued..... Threat Reports and Blogs Threat Reports and Blogs give you insights into the new Tactics, Techniques, and Procedures used by the attacker.  This information gives you an understanding of how other companies handle exploits, what types of malware the industry is seeing, what new techniques are being used to defend and attack, what are the new emerging threats etc. Find the  Reports and Blogs  of well-known security researchers Teams  like  Nocturnus ,  SecureList ,  Spider Labs ,  Cisco ,  Red Canary ,  Crowdstrike  and  The DFIR report  (my favorite) so on. Try to look for how this can impact your industry or organization. Make it a goal to take away at least one security recommendation you can apply to your organization or job from each threat report you read.  For example, you are reading the latest report from the  Red canary  and observed the most common techniques used by an attacker are  command and scripting interpreter T1059  where Powershell plays a very import

Threat Hunting Basics - Part 3

Image
All about Threat Hunting "HYPOTHESIS"                     A threat hunt hypothesis is a proposed explanation made on the basis of limited evidence from a security environment, and this proposed explanation is then used as a starting point for further investigation. Threat hunting is primarily hypothesis driven. This means that quite often each hunt will begin with a series of questions or theories. Generalized questions could include, “If I were to attack this environment, how would I do it? What would I attempt to gain access to? What would be my targets?” These types of questions then lead to hypotheses that can be tested. They may begin looking for odd services, unusual network connections, unusual parent-child processes, abnormal behaviors, maximum numbers of registry or file modifications, or anything that seems unusual for this device or environment. In many cases, the hunt may return no results, but that does not mean that this particular theory was incorrect. These th

Threat Hunting Basics - Part 2

Image
Threat Hunting Maturity Models Before moving forward in describing the threat hunting maturity models, First, we need to understand what is threat hunting and its basic terminologies.  The aim of this article is to learn how organizations can count their organization maturity level and what advancements are required to boost their security posture.  The maturity level measures the capabilities of the organizations, which determined to what extent these organizations are capable of hunting and responding to threats. The threat hunting maturity model is defined by the quantity and quality of data the organization collects from its IT environment.  Threat Factors to judge an organization's hunting ability:  Quality and Quantity of the data they collect for hunting Tools provided to access & analyze the data Skills of the analyst who actually use the data & tools to find the security incident. The Hunting Maturity Model, developed by  Sqrrl's  security architect and hunter