5. Ask 10 security professionals
for the definition of threat
hunting and you’ll get 11
answers
什么是威胁狩猎(定义)
6. 什么是威胁狩猎(定义)
• Threat hunting uses new information on previously collected data
to find signs of compromise evading detection. – SANS 2019
Building and Maturing Your Threat Hunting - David Szili (CTO @
Alzette Information Security)
• Threat hunting是一个active/proactive活动,对象是所在组织的任何相关环境
(everything),内容是发现任何失陷的信号(signs of being compromised),输
出是否失陷的评估。- Chris Brenton – COO @ Active Countermeasures
• Threat hunting不针对已经能检出的威胁,是专项的、周期性开展的建立在“假设”的
基础上的安全活动。- John Dwyer & Neil Wyler @ IBM X-Force – BlackHat
US 2022
• Threat hunting is the practice of proactively searching for cyber
threats that are lurking undetected in a network. - CrowdStrike
• Threat hunting is the practice of searching for cyber threats that
might otherwise remain undetected in your network. - CheckPoint
24. 1. 开发假设
[Steps of the Scientific Method]
https://www.sciencebuddies.org/science-fair-
projects/science-fair/steps-of-the-scientific-method
科学方法是通过实验检验假设以回答问题的过程。
在医学、生物学、化学和物理学等领域的科学进步
中,它的使用可以追溯到数百年前。
"If _____[I do this] _____, then _____[this]_____
will happen."
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
而在[NIST的安全框架IPDRR[16]](https://www.nist.gov/cyberframework)中,将将安全活动分为`Identify`、`Protect`、`Detect`、`Respond`、`Recover`的闭环活动,覆盖了针对企业资产的完整信息安全保护的周期,简称IPDRR框架
其中`DE.CM`阶段表示`Security Continuous Monitoring: The information system and assets are monitored to identify cybersecurity events and verfy the effectiveness of protective measures`,他在`DE.DP`之前,`DE.DP`阶段主要内容包括`Detection processes and procedures are maintained and tested to ensure awareness of anomalous events`。而Threat Hunting涉及了DE.CM-1、DE.CM-2、DE.CM-3、DE.CM-6、DE.CM-7,用于发现环境和组织中潜在的恶意威胁,同时Threat Hunting的结果也会反馈DE.DP-5 `Detection processes are continuously improved`。
我们再来看Gartner的安全运营模型,在Gartner [Security Operations Primer for 2022 [19]](https://www.gartner.com/en/doc/759058-security-operations-primer-for-2022)这篇文章中,安全运营包含三个因素、四个领域和四个目标的闭环,如下图:
三个因素是Gartner一直强调的人、流程、技术,安全的所有活动和目标都是围绕这三个因素开展,现代化的安全运营中心的建设同样是需要从这三个因素展开。Gartner的安全运营模型的四个领域包括:治理和运营、安全服务、安全监控/检测/响应技术、威胁和暴露面管理。其中,治理和运营主要强调安全团队的建设,安全人员的素质以及安全流程的规范,突出了人在信息安全运营过程中的作用;威胁和暴漏面管理则强调对保护的资产的范围确认,了解组织资产面临的威胁和风险;监控/检测和响应则更加注重安全事件的发现和处置闭环,强调处置的平台、流程和技术的建设;而安全服务的内容则是突出一系列的安全活动,如威胁狩猎、威胁情报、红蓝对抗,在威胁保护、响应之外,仍然需要一系列的安全活动来提高组织安全防护水平,关注于解决信息安全痛苦金字塔[13]顶端的内容。
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Chris Brenton在文章[what is threat hunting and why is it so important [7]](https://www.activecountermeasures.com/what-is-threat-hunting-and-why-is-it-so-important-video-blog/)中描述了威胁狩猎的重要性,他认为:Threat Hunting是连接安全防护和安全响应的活动、一般发现失陷是事件的6个月后、多数的失陷事件是第三方安全厂商发现的、现有的日志分析或SIEM平台只能检出2.5%的事件等等。
不得不说Chris Brenton在这里的数据有些过于夸张,我也不认为国内已经有专职开展安全运营活动的公司能容忍安全事件的检出水平低到这个级别。但现实中我们面临的情况也并不那么乐观,Chris Brenton的数据虽然夸张,但是观点并不错误。
team level benifits
• Turns unknown risks into known risks and allows them to be managed effectively
• Identifies adversarial activities that made it through existing defenses
• Provides an increased understanding of what threats current defenses have visibility into and where those defenses could be lacking
• Increases understanding of the enterprise for all personnel involved
• Validates/develops a documented network baseline and map
• Provides insight into potential system and network misconfigurations
• Identifies gaps in logging and network visibility
high level begifits
• Improves adherence to legal and regulatory requirements
• Aides in risk management decisions before or after major network reconfigurations, such as mergers with other organizations
• Validates threat intelligence reporting specific to the organization and the threat actors that are targeting them
• Can be utilized as a proof point for any investment adjustments into specific network security areas
• Re-enforces stakeholders' trust in the confidentiality, integrity, and availability of the network
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性
Active Countermeasures的COO、SANS的讲师Chris Brenton在Youtube上发表了一系列的教程[视频[14]](https://www.youtube.com/watch?v=lt1ld62Fids)来讲述Threat Hunting活动。Chris Brenton在2020年的文章[what is threat hunting and why is it so important [7]](中简要讲了对Threat Hunting的理解以及重要性