Ever wonder what threat hunting is all about? Join Infosec Principal Security Researcher Keatron Evans as he breaks down the basics of what it’s like to have a career hunting down potential cyber threats. Join us on for an inside look at a day in the life of a threat hunter, including: Why threat hunters are more critical today than ever before Knowledge and skills needed to drive threat hunting success Live demos of essential threat hunting skills and tools used to detect and mitigate adversarial behavior One lucky attendee will win a free year of Infosec Skills. Complete the form to save your seat! P.S. Want to go even deeper into threat hunting? Don’t miss our advanced threat hunting session on June 28, Join the hunt: Threat hunting for proactive cyber defense.

1. SESSION 1
Threat hunting
foundations: People,
process & technology

2. Meet the
panel Principal Security Researcher
Infosec
Keatron Evans

3. Today’s
webcast
⮚ What is threat hunting?
⮚ Assumption of a breach
⮚ Key components of threat hunting
⮚ Threat hunting process
⮚ Demo
⮚ Q&A

4. What is threat hunting?
Incident response
REACTIVE
Responds to alerts and gets the organization back to a ”safe” place
Forensics
INVESTIGATIVE
Documents historical events: What happened? How? When? Who?
Threat hunting
PROACTIVE
Identifies how threats behave in an environment. Driven by
hypothesis — not incidents or events

5. JOB TITLE:
Threat hunter
RESPONSIBILITIES:
Finds threats
within an
environment
TASKS:
Uses data analysis
tools and
techniques to
discover threats
and related
vulnerabilities
Anatomy of a
threat hunter

6. REACTIVE
Incident response
PROACTIVE
Threat hunting
• Actively searching for
and preventing threats
• Includes threats which
may not have been
detected or reported
by automated
monitoring tools
• Detecting attacks after
they have occurred
• Logging and responding
to alerts and
notifications from
monitoring tools

7. Threat hunting concepts
Data
Discrete logs used for
analysis, often collected by
individual devices and
centralized by a SIEM
Baselines
Simple metrics and
established, secure
configurations or behaviors
Threat intelligence
Collections of data relating to
known threats and threat
actors

8. Assumption of breach

9. Three reasons to
assume a breach
1. Systems are complex and difficult to
fully secure
2. It’s much safer than assuming a
system or environment is secure from
attack
3. You can’t only depend on alerts

10. Zero-day
vulnerabilities
• Vulnerabilities unknown to software
developers
• Zero-day attacks will exist regardless
of how secure a product is thought to
be
• By their very nature, these
vulnerabilities are unknown and
difficult to prevent

11. Detection
deltas
The “global median dwell
time” (detection delta)
has steadily dropped
since 2011 when it was
416 days, according to
FireEye’s M-Trends report
Global median dwell time 2015-2021
Compromise
notifications
2015 2016 2017 2018 2019 2020 2021
All 146 99 101 78 56 24 21
External
notifications
320 107 186 184 141 73 28
Internal
detection
56 80 57.5 50.5 30 12 18

12. Combat alert fatigue
with active defense
1. Large influx of false positive alerts can
lead to disinterest
2. Constantly chasing down false
positives becomes exhausting and
boring
3. Actively hunting threats helps combat
alert fatigue and reduce false positives

13. Key components of threat hunting
Three factors to help determine threat hunting program maturity
1. Quality of collected
data
2. Tools used for
gathering/analyzing data
3. Threat hunter skills

14. Let’s take a look at
what a mature
threat hunting
process looks like.
1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond

15. 1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond
● Data collected from various log
sources, often centralized for
analysis
● Data then processed and organized
using automated tools
● Manual investigation leads to
development of a hypothesis
Collect and
process data

16. 1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond
● Data analyzed by a hunter or other
party tasked with developing
hypotheses
● Once created, a hypothesis is used
to direct threat hunting efforts
● Should be business-related and
specific
Establish
hypothesis

17. 1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond
● After a hypothesis has been created,
threat hunters attempt to confirm
the hypothesis
● Look for a sufficient number of IOCs
to support a hypothesis
● If unable to confirm a hypothesis,
move to a new one
Hunt for threats

18. 1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond
● After confirming a hypothesis,
gather further information on all
related threats
● Discover information to attribute
the threat to a specific actor,
determine threat characteristics and
goals
Identify threats

19. 1. Collect and process data
2. Establish hypothesis
3. Hunt for threats
4. Identify threats
5. Respond
● Becomes an incident response (IR)
process
● Handoff to IR team happens here
● Threat hunters may pulled into the
IR process
Respond

20. ● Review threats
● Ask questions:
○ Why did the threat exist?
○ Is the current mitigation
sufficient going forward?
○ What can we do to better
prepare for this type of threat in
the future?
Lessons learned

21. Let’s do this!
Threat hunting in
network traffic

22. Questions?

23. Learn threat hunting with Infosec Skills
Infosec Skills subscription:
➢ 190+ role-based learning paths (e.g., Cyber Threat
Hunting, Ethical Hacking, PenTest+)
➢ 100s of hands-on labs in cloud-hosted cyber ranges
➢ Custom certification practice exams and skill
assessments
Infosec Skills live boot camp:
➢ Live, instructor-led training (in-person or live online)
➢ Certification exam voucher
➢ 90 day extended access to recordings of daily
lessons, plus all materials in Infosec Skills
➢ Exam Pass Guarantee
infosecinstitute.com/skills

24. Learn how to hack with Infosec Skills
And the winner for a
one-year subscription to
Infosec Skills is …
infosecinstitute.com/skills
(Valued at $299)

25. About us
Infosec believes knowledge is power when fighting
cybercrime. We help IT and security professionals advance
their careers with skills development and certifications
while empowering all employees with security awareness
and privacy training to stay cyber-safe at work and home.
www.infosecinstitute.com