Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Purpose
  • Scope and hypothesis development
  • Formulate
  • Execute
  • Feedback
  1. Introduction

Threat hunting models

Adopt a threat hunting model, like the following, that captures the various steps associated with threat hunting

  1. Purpose - What is the reason for the hunt?

  2. Scope - Where is the hunt and what answers are you seeking?

  3. Formulate - Data sources and tools utilized

  4. Execute - Carry out the hunt

  5. Feedback - Lessons learned

Purpose

Reason for the hunt

  • What are the organization's goals for the hunt?

  • What is the hunting ground?

  • What are the assumptions?

  • What are the limitations?

  • What is the desired outcome?

Scope and hypothesis development

Where is the hunt and what answers are you seeking?

  • What are the facilities, networks and systems involved?

  • What data is needed for the hunt?

  • Hypothesis development based on threat hunting sources

  • Determine what's driving the hypothesis

  • Identify specific questions to be answered

  • Expected outcomes

  • Ensure scope still aligns with the purpose

Formulate

Data sources and tools

  • Identify data sources needed for the hunt based on the hypothesis

  • Determine analysis techniques needed to answer questions from the hypothesis

  • Understand the tools required to gather and analyze data

Execute

Carry out the hunt

  • Gather data identified in the formulate stage

  • Utilize analysis techniques to prove or disprove hypotheses

  • Employ additional tools, techniques and data sets as needed

  • Capture results as you proceed with the hunt

Feedback

Lessons learned from the hunt

  • This is the final step of the process that analyzes all steps of the hunt

  • All parties involved in the hunt provide their feedback for the different stages

  • Examples

    • Were the hypotheses well-defined?

    • Was the outcome achieved?

    • Were identified data sources relevant?

    • Were the techniques used appropriate for the hunt?

    • Were there any visibility gaps?

PreviousImplementation considerationsNextBenefits of threat hunting

Last updated 8 months ago