Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Structured
  • The Cyber Kill Chain
  • Mandiant's Targeted Attack Lifecycle
  • MITRE ATT&CK
  1. Threat hunting methodologies

Structured hunting (MITRE)

PreviousIntroductionNextUnstructured hunting

Last updated 9 months ago

Structured

The Cyber Kill Chain

Lockeed Martin's Cyber Kill Chain is an invaluable resource for threat hunting

Understanding each stage of the process from reconnaissance to actions on objectives helps with identifying what an attacker needs to do for a successful intrusion

Mandiant's Targeted Attack Lifecycle

Mandiant has a different variation of the kill chain, listing the phases that an attacker must carry out

MITRE ATT&CK

Any of the previously listed attack life cycles can be picked for threat hunting

After understanding the attack life cycle and the different phases of it, a threat hunter needs to understand the specifics of how an attacker conducts each one of the phases

The MITRE ATT&CK framework provides detailed descriptions of methods by which an adversary can achieve goals for each phase of the attack

Understanding these methods allows a threat hunter to build a structured hunt based on the TTPs for an attack

Navigating the ATT&CK framework

The Enterprise ATT&CK Matrix lists the Tactics and Techniques in a tabular form for ease of understanding

Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access

Techniques represent "how" an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access