Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Data sources
  • Tools
  1. Threat hunting techniques and generative AI
  2. Anomalies and baselining

Searching

The simplest method of hunting, searching is the process of querying data for specific results or artifacts and can be performed using many tools

  • Searching requires finely defined search criteria to prevent result overload

  • Designing search queries effectively is an essential skill

  • You don't always know what you're looking for, and queries need to be able to find useful data

  • Queries need to be:

    • Broad enough to collect important data

    • Narrow enough to not overwhelm the analyst

    • Focused on data likely to provide usable results

Data sources

Knowing where to collect data is an important part of searching

  • Not all data sources are created equal

The choice of data sources to use depends on the threat

  • Searching should begin based on evidence of a threat

Examples of data sources include:

  • Flow records

  • Logs

  • Alerts

  • System events

  • Digital images

  • Memory dumps

Tools

Manually searching through collected data is impossible to do at scale

Recent development in heuristics, artificial intelligence and threat modeling are valuable for threat hunters

While tools can help with data processing, they have limited value for analysis (i.e., they can't answer the "why")

PreviousBaseliningNextGrouping and clustering with AI

Last updated 9 months ago