#BSidesBelfast: Threat Hunting Requires Curiosity and Culture

Building a threat hunting team requires finding people who are prepared to be inquisitive of data, are keen to be the first to find a threat and having the right culture for them to work in.

Speaking at Bsides Belfast 2019, Martin Lee, outreach manager and Technical Lead at Cisco Talos, said that the team at Talos “work on analyzing the intelligence we have got, spot what is different and understand it” as what Talos does is “special and what we do has happened by accident,” as there is no manual on how to manage and function a threat research and intelligence team.

He said that there is a common belief that threat hunting involves “putting data in and mixing it with tools using SIEM, and using procedures to find threats,” when threat hunting should be thought of as a “stack of technology” where you do not need a “secret store of data that only you can access.” 

Lee added: “We look for the most significant new threat on the internet, and see our role as to protect the entire internet. We want to hunt down and find the bad guys and be the first people to protect customers and inform the community.”

A lot of threat hunting “is classic engineering,” as if you put processes in at the beginning and follow them, you will come to a predicable end with a clean answer, and Lee called that “the holy grail” situation. In most cases, threat hunting involves looking through indicators of compromise and comparable data, and the resolution is affected by attackers using different domains, different IP addresses an ..

Support the originator by clicking the read the rest link below.