March 31

Webinar takeaway – Applying The Threat Hunter’s Runbook


My key takeaways

  • threat hunting runbook
    1. Identify connection persistency
    2. Identify if there is a business need
    3. Protocol analysis
    4. Investigate external IP address
    5. Investigate internal IP address
  • Threat hunting is stealthy
    • only when in IR mode, the adversary should be allowed to notice we are after him
  • set the TCP timeout from 5min to 1h in your local zeek file
  • options to create a safelist for RITA
    • Parse RITA output with a script prior to review
      • preferred because easy to rollback
    • RITA’s NeverInclude & NeverIncludeDomain
    • BPFilter prior to Zeek capture
      • adds performance
  • a dash behind the protocol in RITA means that the connection probably started before the collection started in Zeek
  • eliminating long connections like windows notification service might reduce the load significantly
  • working through 24h of data is doable in about 1h


additional links

User comments

  • Keith – ACM BHIS — heute um 20:32 Uhr
    RITA does not currently have safelisting/whitelisting built-in.

  • 3l t0r0 — heute um 20:34 Uhr
    how do you make a differentiation between an endpoint on for only 8hrs vs one on for 24hrs within the same analysis?
    wstearns-ACM — heute um 20:35 Uhr
    You could feed the raw pcap into tcpdump to filter on the IP address and use capinfos on the result: tcpdump -r original.pcap -w justoneip.pcap 'host' capinfos justoneip.pcap



You may also like

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – Malware of the Day

Webinar takeaway – Malware of the Day
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}