Mitigate threats by going on the offensive
While the definition of threat hunting may be straightforward—proactively hunting for threats—the reality of implementing a threat-hunting program is a bit more complicated, as there are different threat-hunting methodologies to choose from.
In order to optimize an offensive approach like threat hunting, it helps to first know the granular ins and outs of your IT/security stacks so you can ensure they're producing actionable information. Once a plan is in place, you should be able to quickly identify signs of compromise across networks, systems, and application environments.
Kicking it off
A solid threat-hunting program usually begins by generating a hypothesis and noting aspects like:
Program name
Program purpose
Expected analysis techniques for the hunt
For example, if your goal is to identify anomalous user-agent strings, documentation might state, “Looking for abnormally short or long user-agent strings or known bad strings.” These actions will help spur deeper thinking and insight as to what your team wants to accomplish with its threat-hunting program. Mitigating threats then occurs by conducting searches against plan criteria, reporting the findings, and launching a plan to secure environments with the help of any and all stakeholders.
Common threat-hunting models
Each established model has its own formula and is essentially a collection of processes designed to take you through a structured approach to searching for specific threats.
The Paris model
The model is named after its ultimate shape on graph paper, it places an emphasis on automation and automated alerts. The entire purpose of this model is to get teams to a state where new use cases are being generated from R&D and hav ..
Support the originator by clicking the read the rest link below.
