A hunter wishing to bring food home for his or her family first needs to decide what type of animal he’s going to target. Every quarry requires its own unique methods which dictate when the hunter goes out, where they go, what kind of weapon they carry and a host of other considerations.
In the world of cyber security, it’s no different. You don’t just “go threat hunting”. You need to have a target in mind, you need to look in the right places and you need the right weapons.
In this real training for free session, we will discuss the minimum toolset and data requirements (and not necessarily volume) you need for successful threat hunting. We will take into account that while some of you can devote most of your time to threat hunting, most of us have limited time and resources for this activity. The good news is that threat hunting is flexible and anyone can do it, ranging from a few hours a week to full-time.
As just one example, a great type of threat hunting is to look for unrecognized/suspicious executables running on you network. You can dip your toe in the water with this type of hunt with a small commitment of time and resources or you can plunge in deep with a major data collection and analysis effort. Starting out simple means you just focus on EXE names; baseline the EXE names being executed on your network, and then perform a daily review of new EXE names showing up for the first time. You can get this information from event ID 4688 and the query capabilities are very light. But I think you’ll be surprised what you are able to learn and catch.
On the other hand, you can go much deeper than EXE names which of course can be spoofed and instead base your analysis on the hashes of the EXEs and DLLs executing on you network. That requires deployment of sysmon to your endpoints, a significantly higher level of query and baselining sophistication, and benefits from integration with threat intel resources.
We will take the same approach with a total of 7 types of threat hunting:
- Recognizing suspicious software
- Scripting abuse
- AV follow-up
- Lateral movement
- Persistence
- DNS abuse
- Bait-the-bad-guy
Most of these threat hunts target specific things that attackers need to achieve or telltales sounds they are likely to make as they poke around your environment. We will get specific with each of these types of hunts and point out ways you can scale your effort according to your available resources.
LogRhythm is sponsoring this real training for free event and Nathan Quist (aka “Q”) is helping me on this event. Q is LogRythm’s Threat Research Engineer and works with LogRhythm’s internal SOC team and its clients to perform deep dives into their environments to uncover threats facing our industry.
Besides helping me build out these threat hunts, Q will also briefly show you how LogRhythm’s NextGen SIEM platform, leveraging easily configurable or even out-of-the-box content, can automate the process of threat hunting. His presentation will highlight the value of effectively parsed data, how to find abnormalities (not just alarms) and how LogRhythm plays nicely with other tools that are critical for threat hunting.
Please join us for this real training for free session.