Data Based

What kind of attacks could be found in this type of data

Requires more knowledge (in compare with attack based hunting) of attacks that could appear in data

Value of data

Try to answer on this questions

• Where does data come from?

• What attack techniques manifest here?

• What behaviors will it represent?

• What fields exist?

• What other data sources can I pivot from here?

• Does it cover whole network/company or just most critical segment?

• Are there any limitations on this source?

Data types

What data types are available?

If there is a possibility to perform attack simulation it is great!

Disk

System Logs

Application Logs

Registry Hives (Windows)

Sysmon (Windows)

Scheduler/Cron

Network

Connection Logs (netflow)

HTTP Logs

Logs from web server (httpd/nginx/IIS/...)

Useful fields

• User Agent

• HTTP Method

• HTTP Request

• HTTP Status Code

• URL

Proxy Logs

Useful fields

• User Agent

• HTTP Method

• HTTP Request

• HTTP Status Code

• URL

Do not forget on files, that could be cached!

DNS Logs

Do not forget on Passive DNS DB, there could be useful information.

VPN Logs

Mail Logs

IDS/IPS Logs

Suricata, Snort,...

Logs could include files, JA3 fingerprints or TLS fingerprints

Full Packet Capture (PCAP)

Cloud Logs (CloudTrail,...)

Intel

Assets

Identities

Passive DNS

Sandbox

Reputation (IP/Domain)