Attack Based

Searching for evidence of specific attack

Seeking for evidence that identifies specific attack. Looking for evidence of that attack not detectable by other mechanisms.

Requires less experience and generalized attack knowledge. More advanced (in terms of knowledge) is data based hunting.

Hunting is not just about signatures for specific. Hunters aiming on weird behaviour that does not fit into environment.

Questions

  • What am I looking for?

    • What kind of attack

  • Where am I likely to find it?

    • Where is my evidence (artifacts on disk, network, logs,...)

  • How can I manipulate the data to see it?

    • statistical analysis, agregations,...

Skills

  • Broad and diverse knowledge of attacks

  • Where to learn about new attack techniques

  • What knowledge is necessary to detect the attack?

    • How?

  • Understanding how to simulate attacks to fill the gaps

Sources of knowledge

Encyclopedic

  • MITRE ATT&CK, add link

Cutting Edge

  • Vendor research Reports

  • Crowd Strike, Fire eye, ESET

  • Conferences

    • Black hat, SANS

  • Whitepapers

    • SANS Reading Room

Highly Relevant

  • Red Team

    • company one or some hired

  • Incidents

Top-Down Process

  1. Vendor Threat Report

  2. ATT&CK Techniques

  3. Behaviours

PreviousHuntingNextData Based

Last updated