Threat Hunting Training Course

by Active Countermeasures

Try to catch the bad guys

• Centralize logs

• Write signatures

• Alert on signature matches

• Follow-up on alerts

This is not threat hunting, it is not proactive! Threat Intel is also not Threat Hunting!

Syslog was not designed for security. Different platforms log events differently.

What is threat hunting

• Proactive validation of all systems connected to the org's network

• Needs to include all systems

• Execute without making assumptions

• Deliverable is a compromise assessment

The process

1. Review the integrity of every device

2. Generate one of the three dispositions

   1. System is OK

   2. System is compromised

   3. Not sure, need to collect more information to make a decision

3. Leverage the context for host log review

C2 Detection

Resources

Recording

Course Info

Cyber Threat Hunting Training Course - Active CountermeasuresActive Countermeasures

6MB

Network_Threat_Hunting_-_20220412.pdf

pdf