Webinar Takeaway: How to Get Started in Cyber Threat Hunting

My key takeaways

• responding to alerts, writing sig's, checking dashboards is reactionary; threat hunting is proactive
• @TayandYou <- nice example of an AI being out of control
  • how can AI solve infosec problems, unless we have our processes right?
• ThreatH process
  • start with the network and look for anomalies
  • suspect system? pivot to host logs
  • infected? full forensics
• Much of threat hunting is identifying, if there is a business need for what you see; context matters

• Threat intelligence is about knowing what is bad. Threat hunting is about finding this "bad" on your infrastructure. Digital Forensics is what happens after you found "bad" -- Pakiri@Discord

• IT mindset vs security mindset
  • IT mindset: "where is the fire?"
  • Security mindset: "what's the story behind this?"
• Scrum & Agile mindset fits well threat hunting: constant learning and improving
• Threat hunters toolbox
  • Zeek
  • Wireshark/tshark
  • RITA
  • Sysmon
  • Auditd
  • Syslog
  • ELK or some SIEM
• A lot of DNS requests for a domain but no A record request? Suspicious!
• Set Zeek TCP timeout to 4h to find long connections (how2)

Env

• Provided by Active Countermeasures
• Presenter: Chris Brenton

additional links

• https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
• Start with your home network
• Leverage Raspberry PIs
• https://www.brimsecurity.com/