6. WHY
HUNTING
FITS IN
• IT infrastructure is very complex (Cloud, IOT, SDN)
• Adversaries are no longer script kiddies (well funded and
qualified professionals)
• Stats proved that most of the compromise were at least
120 days old
7. WHAT IS THREAT HUNTING?
• Actively looking for Incidents
• Building hypothesis using Threat Intelligence, IOC
• Allocate Time, Resources, Hunters to Deep
8. WHAT HUNTING
GIVES BACK TO YOU
• Companies Can truly understand the
current level of Compromise
• Quickly identify and remediate the GAP
• Streamline incident response process,
procedures and technology flow with
existing teams
• Companies will have better
understanding about Digital footprint
inside of the network
9. LETS DIG DEEP
• Find out what is normal in your environment in order to identify what is “abnormal”
• If you are unfamiliar with your environment it will lead to extremely ineffective
response
• Running Process, privilege level
• Network Activity
• Schedule task
• Persistence mechanism
11. • Once in a life time
• Regularly
• Part of SOC initiative
• Before any major INCIDENT
WHEN TO HUNT
Editor's Notes
Incident starts when notification comes in, Eg, CERT CALL, or NDIS, SIEM or AV alert
Patched
Infrastructure
Could’ve (Intelligence development) *****MOST OF THE TIME JUMPING IN
Easily
Recover
Losses