Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Data sources
  • Analysis techniques
  • Tools
  1. Cyber threat hunting process

Formulate

  • Identify data sources needed for the hunt based on the hypothesis

  • Determine analysis techniques needed to answer question from the hypothesis

  • Understand the tools required to gather and analyze data

Data sources

Identify relevant data sources, based on developed hypotheses:

  • Evaluate potential data sources in the environment

  • Determine if a specific data source offers any evidence for the hypotheses

  • Validate feasibility for collection of data from the data sources

Analysis techniques

Identify what analysis techniques should be used:

  • Determine the tactics, techniques and procedures to be used

  • Selection criteria should be driven by the developed hypotheses

  • The employed analysis techniques should answer questions from the hypotheses

Tools

After identifying the data sources and analysis techniques, the next step is to scope the tools needed for the hunt

Here are some examples:

  • Security Information and Event Management (SIEM)

  • Sniffing, IDS/IPS and process monitoring tools

    • Wireshark, Snort, procmon

  • Packet capture solutions

  • DLP solutions

PreviousScoping and hypothesis developmentNextExecution

Last updated 8 months ago