My key takeaways
- responding to alerts, writing sig’s, checking dashboards is reactionary; threat hunting is proactive
- @TayandYou <- nice example of an AI being out of control
- how can AI solve infosec problems, unless we have our processes right?
- ThreatH process
- start with the network and look for anomalies
- suspect system? pivot to host logs
- infected? full forensics
- Much of threat hunting is identifying, if there is a business need for what you see; context matters
-
Threat intelligence is about knowing what is bad. Threat hunting is about finding this "bad" on your infrastructure. Digital Forensics is what happens after you found "bad" — Pakiri@Discord
- IT mindset vs security mindset
- IT mindset: "where is the fire?"
- Security mindset: "what’s the story behind this?"
- Scrum & Agile mindset fits well threat hunting: constant learning and improving
- Threat hunters toolbox
- A lot of DNS requests for a domain but no A record request? Suspicious!
- Set Zeek TCP timeout to 4h to find long connections (how2)
Env
- Provided by Active Countermeasures
- Presenter: Chris Brenton