Forensics and Cyber Threat Research Area

Threat Intelligence | Insider Threat Detection | User Behavior Analytics | Cyber Threat Management | Data Security Intelligence | Cloud Security Intelligence Application Security Intelligence | Anomaly & Pattern Detection |  Security Information Event Management | Digital Forensics | Data Recovery | Malware Investigation | Packet Analytics | Packet Forensics | security operations and analytics platform architecture (SOAPA)

Cyber Threat Hunt Cycle

Home » Blog » Cyber Threat Hunt Cycle

 Posted in Cyber Threat

Cyber Threat Hunt Cycle

   12th October 2019  Leave a Comment on Cyber Threat Hunt Cycle 0 1254

Project Name: Cyber Threat Hunt cycle

Description: – Whenever adversary is changing the routine procedure and evade defenses of enterprises Cyber Threat Hunting will always play very important role to identify such sophisticated attacks. To start with Cyber Threat Hunting we will first understand their cycle to stage platform for more details on hunting.

Author: Rohit D Sadgune / Amruta Sadgune

FAQ: –

  • Cyber Threat Hunt cycle          
  • Different hunting techniques
  • Data Sources for Threat Hunting
  • Threat Strategy consideration points

Primary Threat Hunting Strategy Questions

There are four important questions required to boost a threat hunting strategy

  • What are you hunting?

Threat Hunting is costly and dicey.  You must restrict down exactly for which adversaries you are hunting.  Is it exploitation?  Is it lateral movement?  It is exfiltration?

  • Where will you find it?

Kindly restrict where you find primary traces of adversaries, build proper hypothesis for same.

  • How will you find adversary?

Once you located the specific posture of enterprise and what adversarial effects are you looking for, next step is to choose appropriate solutions. Take on one threat at a time an do proper mapping of adversarial effects with intelligence.

  • When will you find it?

Allocate specific team and time to put efforts on one adversary. Have a time bound for your hunting.  A never-ending chase will lead you nowhere.

Cyber Threat Hunt cycle      

  • Survey – Discover entities in the enterprise environment, regulate which entities an adversary is most likely to target and plant sensors to entities to monitor them and collect data on any malicious activity.
  • Secure – Catch down the monitored entities to ensure adversaries already in the environment are protected from moving laterally and gaining further access. The protect phase also prevents performance of new adversaries and other exploits.
  • Detect – Leverage the threat hunt sensors to robotize observations and data collection capabilities to find proof of successful and failed attacks, and detect adversaries by analyzing the collected events.
  • Respond –Terminate the attack by impeding the adversary’s access and protecting it from being regained, repair destruction to compromised entities and inform the appropriate personnel of the actions taken by the threat hunters and the vulnerabilities that still need to be addressed.
  • Cyber Threat Hunt Cycle
    Cyber Threat Hunt Cycle

Cyber Threat Hunting Building Blocks

  • Hypothesis: – Cyber threat hunting is initiated by creating knowledgeable assumptions, about the various types of adversarial effects or activities going on in your enterprise network.
  • Analysis: – Identifying relationship between different data sets is an effective technique for positioning events in an understandable way.  This includes optical, statistical and machine learning based analysis.
  • Deep Dive: – Discover modern, malicious or suspicious patterns and reach to the stage of complex attack path to unveil the adversary tactics, technique and procedures.
  • Analytics: – Enriched information with automated machine learning is key for successful threat hunting to identify, investigate and report new attackers encountered during hunting.

Primary Log Sources for Threat Hunting

System logging:- OS logging of the system. Which consists of system, application and security logging.

PowerShell logging:- Granular PowerShell logging to determine the exact nature and source of PowerShell executions

DNS logging:- Logging from DNS servers. Should contain as much information as possible, including source, requested record, size of request and response, etc.

Web server logging:- Logging from web servers that include the request type (GET, PUT, etc.), user-agents, headers and size of the request.

Authentication logging: – Authentication logging from the enterprise. Usually Active Directory logging

End-point forensic information:- Processes currently running on end-points (servers and clients)

Author: Rohit Sadgune
Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions
Website

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

Indicator of Attacks | Indicator of Compromise

Top SIEM Use Cases | Threat Hunting Hypothesis | Deep Packet Inspection | Insider Threat Hunting | Hunting Data Exfiltration | Banking Fraud | ATM Use Cases | Cross Channel Data Exfiltration | Hunting Endpoint Anomaly | Denial-of-service | Man-in-the-middle (MitM) attack | Spear phishing attacks | Drive-by attack | Eavesdropping attack | Birthday attack