Threat Hunting Training Course
by Active Countermeasures
Try to catch the bad guys
Centralize logs
Write signatures
Alert on signature matches
Follow-up on alerts
This is not threat hunting, it is not proactive! Threat Intel is also not Threat Hunting!
Syslog was not designed for security. Different platforms log events differently.
What is threat hunting
Proactive validation of all systems connected to the org's network
Needs to include all systems
Execute without making assumptions
Deliverable is a compromise assessment
The process
Review the integrity of every device
Generate one of the three dispositions
System is OK
System is compromised
Not sure, need to collect more information to make a decision
Leverage the context for host log review
C2 Detection
Resources
Recording
Course Info
Last updated