Network data

What visibility do you need in your network?

Sources of data

  • IDS/IPS

  • Email

  • Web logs

  • Firewalls

  • WAF

  • DLP

  • Additional network infrastructure devices

  • Packet captures

  • Proxy

IDS/IPS

IDS capabilities

  • Detection

  • Alerting

IPS capabilities

  • Detection

  • Alerting

  • Prevention

FIrewalls

Establish initial traffic rules to determine what you will be allowing, blocking and logging

Monitor traffic for suspicious activity

Fine-tune traffic rules in response

Additional network devices

  • Hubs

  • Switches

  • Routers

Email

Email logs contain detailed records of all email transactions, including sender and recipient addresses, subject lines, message content, timestamps and other metadata

Threat hunters can use email logs to detect and investigate a rane of email-related threats, such as phishing attacks, malware campaigns, spam and other suspicious activity

For example, by analyzing email logs, a threat hunter can identify patterns of suspicious email activity, such as large volumes of outbound emails from a single account or unusual attachments or links in messages

Email logs can also help trace the source of an attack or compromise, allowing investigators to identify the initial point of entry and follow the path of the attack to its endpoint

Web Application Firewall (WAF)

By analyzing web traffic and blocking potentially malicious requests, a WAF can help detect and prevent attacks against web applications

When using a WAF for threat hunting, it is important to configure it to capture and log all web traffic

  • This can provide valuable insights into web activity and help to identify potential threats

WAF logs can be analyzed to detect patterns of suspicious behavior, such as repeated failed login attempts, unusual user agent strings or requests for sensitive resources

A WAF can be used to perform active threat hunting by configuring it to block or log suspicious requests

  • Some WAFs also offer advanced features for threat hunting, such as machine learning algorithms that can detect and block unknown threats

Packet capture solutions

Packet capture solutions allow a threat hunter to capture and analyze network traffic in order to detect and investigate potential security incidents

By capturing packets of data traveling across the network, a threat hunter can analyze the traffic to identify anomalies, suspicious behavior or patterns of activity that may indicate a security threat

By analyzing packet data, a threat hunter can identify the source of the attack, the type of attack being used and the extent of the compromise

When using packet capture solutions for threat hunting, it is important to have a clear understanding of the network environment and the expected traffic patterns

Web logs

Web logs record every request made to a web server, including the source IP address, user agent, requested URL and other metadata

By analyzing web logs, a threat hunter can identify patterns of suspicious behavior and detect potential security threats

When using web logs for threat hunting, you can look for specific indicators of compromise (IOCs), such as IP addresses or user agents associated with known malicious activity

You can also look for patterns of behavior that may indicate a security threat, such as repeated failed login attempts or requests for unusual or sensitive resources

By analyzing web logs for request that contain suspicious parameters or payloads, a threat hunter can identify potential vulnerabilities and take steps to mitigate them before they are exploited

Data Loss Prevention (DLP)

DLP solutions are designed to prevent sensitive data from leaving an organization's network, and they typically monitor data in transit, at rest and in use

By analyzing DLP logs, a threat hunter can identify potential data exfiltration attempts and other security threats

You can also look for patterns of behavior that may indicate a security threat, such as multiple attempts to transfer large amounts of data out of the network

By analyzing DLP logs for incidents of sensitive data leakage or unauthorized access, threat hunters can identify potential gaps in their data protection policies and take steps to mitigate them

Proxy

Proxy provides valuable insights into web traffic, user behavior, and potential security incidents.

Here are some of the key elements to look for in proxy logs when conducting threat hunting:

  • Suspicious URLs

  • Unusual user behavior

  • Blocked requests

  • Unusual traffic patterns

  • Malicious user agents

  • IP addresses and domains

PreviousData and technologiesNextEndpoint data

Last updated