Threat Hunting Basics - Part 6

By Kunal Patil, Senior Threat Hunter

How to be a good Threat hunter 

Cyber security threats are constantly evolving and can be difficult to detect, which is why the role of a threat hunter is so important. In this blog post, we'll explore the qualities and skills required for an effective threat hunter, and how they can best use their abilities to protect organizations from cyber attacks.

"Technical expertise can be learned and trained. Personality traits and mindset are more difficult to shape,"

Positive personality traits

Positive personality traits are essential for threat hunters because they set the tone for how the hunter will approach their work. A good threat hunter is someone who is patient, methodical, and detail-oriented. They are also someone who is able to think outside the box and come up with creative solutions to problems. Finally, a good threat hunter must be able to work well under pressure and maintain a cool head in stressful situations.

Analytical Skills

Analytical skills are critical for threat hunters. They need to be able to understand and analyze data quickly and accurately to identify potential threats. Threat hunters must have strong analytical skills to be successful. They need to understand complex data sets and quickly identify patterns or anomalies that could indicate a threat. They also need to be able to effectively communicate their findings to others on the team.

Strong analytical skills are not only important for identifying potential threats, but also for developing effective countermeasures. Threat hunters need to be able to analyze data about past attacks to determine what was successful and what can be improved upon. This information is critical for developing strategies to prevent future attacks.

Good Communication

Threat hunters must have good communication skills, so they can clearly transmit information about threats or, weaknesses to management or security team leaders, along with recommended steps of action to counteract this. 

Enterprise knowledge

As a threat hunter, you must have a deep understanding of how systems work together in your environment. The emphasis here is on practical know-how based on and drawn from comprehensive knowledge of how your own company, and the process of your own business, work. You need to understand how to look around the corner for problems. In other words, threat hunters should be skilled enough to look at a situation and immediately realize the implications of what is happening. They should then collaborate with teams and assist them to help improve security.

Technical Knowledge

In order to be a good threat hunter, it is important to have strong technical knowledge. This includes knowledge of various security tools and techniques, as well as how to use them. Threat hunters need to be able to understand complex data sets and know how to interpret them. They also need to be able to identify patterns and anomalies that may indicate a potential threat. It’s the job of the threat hunter to identify malicious activity and take steps to prevent further attacks or damage. The below sections will illustrate what necessary technical knowledge is required when performing a threat hunt :

        1. Programming

There are many different types of programming languages, each designed for a specific purpose. For example, C++ is often used for system-level programming, while Python is more popular for scripting and web development. Java is another versatile language that can be used for a variety of purposes. Knowing at least one programming language will give you a big advantage when it comes to performing a threat hunt. With the right skills, you'll be able to automate repetitive tasks, write your own custom tools, and even reverse engineer malicious code.

        2. Networking

Networking is a critical component of any threat hunt. Understanding how to properly configure networking settings and identify common network security issues can help hunters more effectively find and neutralize threats. There are a few key things to keep in mind when it comes to networking during a threat hunt:

-Ensure that all devices on the network are properly configured and secured. This includes making sure that firewalls are enabled and up-to-date, that proper access control measures are in place, and that all devices have the latest security patches installed.

-Monitor network traffic for unusual activity. This can be done using tools like packet sniffers or SIEMs. Keep an eye out for any unexpected connections or communication patterns that could indicate malicious activity.

-Pay attention to changes in network behavior over time. By tracking how the network is being used, hunters can more easily spot changes that could indicate a compromise. For example, if there is suddenly a lot of traffic going to an IP address that wasn’t previously being used, this could be cause for investigation.

        3. Digital Forensics and Incident Response

Digital forensics and incident response (DFIR) are critical skills for any security professional. DFIR can be used to identify and investigate malicious activity, as well as to support incident response efforts. Having a strong understanding of digital forensics and incident response will help you in a variety of tasks during a threat hunt, including:

-Identifying indicators of compromise (IOCs)
-Analyzing log files
-Performing malware analysis
-Conducting network forensics
-Creating timelines of activity
-and more!

        4. Operating systems and networks knowledge

Operating systems and networks are the backbone of any organization, so it’s critical that threat hunters have a strong understanding of how they work. This knowledge will come in handy when trying to identify anomalous activity and track down malicious actors.

Threat hunters need to know how to use a variety of tools to investigate suspicious activity on networks and computers. They should be familiar with popular operating systems, such as Windows, Linux, and macOS, as well as common networking protocols. Additionally, threat hunters should have a basic understanding of digital forensics and incident response.

By having a strong foundation in operating systems and networks, threat hunters will be better equipped to detect and respond to threats.

        5. Information security experience

Information security experience is a great asset to have when conducting a threat hunt. Having this type of experience will allow you to better understand the inner workings of various systems and how they can be exploited. This knowledge can be used to more effectively identify potential threats and vulnerabilities. Furthermore, information security experience can also help you develop creative solutions to counteract these threats.

Conclusion

This is by no means a complete list, although these are some of the main core competencies that threat hunters should have. Threat hunting can be both a team game and a solo job and the minimum skills required to be a good threat hunter are explained in the above article.

Next blog includes the parameter which should be a part of threat hunting reports. 


I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Use Case  Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key. Introduction  Emotet Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. TrickBot TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing em
Read more