The document discusses the foundations of threat hunting, focusing on the types of hypotheses used: intelligence-driven, awareness-driven, and analytics-driven. It emphasizes the importance of data gathering and analysis tools, detailing various data sources including firewalls, antivirus, and endpoints for effective threat hunting. Additionally, it promotes Infosec skills training programs for enhancing knowledge and skills in cyber threat hunting.

1. SESSION 1
Threat hunting
foundations: People,
process & technology

2. Meet the
panel Principal Security Researcher
Infosec
Keatron Evans

3. Today’s
webcast
⮚ Establishing hypothesis
⮚ Data gathering and analysis tools
⮚ Data collection sources
⮚ Threat hunting demo
⮚ Q&A

4. Establish your threat
hunting hypothesis
There are three main types of context-
based hypotheses to consider:
1. Intelligence driven
2. Awareness driven
3. Analytics driven

5. Intelligence-driven
hypothesis
Uses the following to develop an
intelligence-driven hypothesis:
1. Threat intelligence
2. Indicators of compromise (IOCs)
3. Knowledge of threat actors and their
tactics

6. Awareness-driven
hypothesis
Uses the following to develop an
awareness-driven hypothesis:
1. Knowledge of an environment
2. Changes in the environment

7. Analytics-driven
hypothesis
Uses the following to develop an analytics-
driven hypothesis:
1. Data collection and aggregation
2. Analysis of collected data
3. Knowledge of common false positives

8. Why you need data
gathering and
analysis tools
Manual analysis benefits:
• Utilizes human knowledge and experience
• Detects advanced threats
Automated analysis benefits:
• Quickly analyzes vast amounts of data
• Correlates, aggregates and removes
duplicates

9. Recommended data
analysis tools
XDR and EDR solutions
SIEM
• Aggregation
• Correlation
• Removal of duplicate events

10. Threat hunting data sources
IDS/IPS
Antivirus
Additional network
infrastructure
devices
Endpoints
Firewalls

11. Threat hunting data
sources: Endpoints
• File and registry changes
• User login and logout
• Running processes

12. Threat hunting data
sources: Firewalls
• Establish initial traffic rules to
determine what you will be allowing,
blocking and logging
• Monitor traffic for suspicious activity
• Fine-tune traffic rules in response

13. Threat hunting data
sources: IDS and IPS
IDS capabilities:
• Detection
• Alerts
IPS capabilities:
• Detection
• Alerts
• Prevention

14. Threat hunting data
sources: Antivirus
• Signature data
• Behavioral and heuristic data
• Machine learning
– Knowledge of algorithms
– Base data to build initial
knowledge pool

15. Threat hunting data
sources: Additional
network infrastructure
devices
• Hubs
• Switches
• Routers

16. Base your hypotheses
on understanding of
adversaries
Look for:
• Internal movement
• Advanced exfiltration techniques
• Rootkits and other advanced stealth
processes

17. Let’s do this!
Threat hunting
demo

18. Questions?

19. Learn threat hunting with Infosec Skills
Infosec Skills subscription:
➢ 190+ role-based learning paths (e.g., Cyber Threat
Hunting, Ethical Hacking, PenTest+)
➢ 100s of hands-on labs in cloud-hosted cyber ranges
➢ Custom certification practice exams and skill
assessments
Infosec Skills live boot camp:
➢ Live, instructor-led training (in-person or live online)
➢ Certification exam voucher
➢ 90 day extended access to recordings of daily
lessons, plus all materials in Infosec Skills
➢ Exam Pass Guarantee
infosecinstitute.com/skills

20. Learn threat hunting with Infosec Skills
And the winner for a
one-year subscription to
Infosec Skills is …
infosecinstitute.com/skills
(Valued at $299)

21. About us
Infosec believes knowledge is power when fighting
cybercrime. We help IT and security professionals advance
their careers with skills development and certifications
while empowering all employees with security awareness
and privacy training to stay cyber-safe at work and home.
www.infosecinstitute.com