This document summarizes a presentation on threat hunting. It discusses how adversaries leave traces in various log files and data sources. While automated alerting is useful, it cannot find unknown threats. The document defines threat hunting as techniques to detect security incidents that were missed by automated systems. It emphasizes the importance of having a threat hunting strategy and process. Specific strategies discussed include making the most of existing data and following the kill chain model. The threat hunting process involves developing hypotheses, collecting relevant data, analyzing it using various techniques, and developing additional hypotheses to further the investigation.
22. SACON 2017
Hypotheses Can Be Driven By…
Threat Intelligence
• Both IOC searches and TTP
analysis
• "d8e8fc[…]ba249 is a known-bad
file hash. Let's see if it's on any of
our critical systems."
Situational Awareness
• Based on friendly intel,
knowledge of business processes,
Crown Jewels Analysis or other
knowledge of your own
environment
• "Engineering users should never
access the Finance file server.
Let's see if they're doing that."
Domain Expertise
• A combination of intel- and
awareness-based
• "I know (China|Russia|Iran)
threat actors TTPs. Are they in
our network?"
34. SACON 2017
Was the exfil an incident?
Look at the volume:
Is this really data being exfilled or just a statistical outlier?
Look at the IPAddresses:
Were the internal ones involved in staging or other risky behaviors?
Were the external ones associated with suspicious domains or URIs?
May need to explore and expand to find this
Look at the Accounts:
Explore from the internal IPAddress and expand to Accounts
Who appears to be conducting the activity and should they be?
Look at the Relationships:
Is the timing consistent with this type of activity?
Is there other activity occurring before or after to indicate it is normal?