Just a reminder that you can’t build a successful threat hunting program to detect the APT indicators everyone is posting unless you actually build the capacity to threat hunt - which had prerequisites, like understanding your environment and building collections of log sources.
Otherwise you’re just throwing pasta at the wall and hoping something will stick, and you don’t know if it means anything if it doesn’t.
Actual serious threat hunting:
1) Builds upon reasonably mature security monitoring capability
2) Requires actual well though out hypotheses about what an adversary might be doing in your environment based on architecture, Intel, Crown Jewels
Otherwise you’re just doing IOC and signature sweeps, which is fine, but it’s just monitoring and it won’t detect anything novel.
I’m going to go back to what I said a few days ago and remind you that the best way to stop or detect sophisticated attacks is to build good detection and defense in depth from the fundamentals. Threat hunting is awesome, but also requires a lot of that to be in place.
There are many people trying to jump from step A to Z right now because of sophisticated Intel reports out there. Just remember that it’s Intel people’s job to give you the most useful data they can, not to make sure you can actually use it or even know what’s on your network.
Threat hunting is proactive. You are making a scientific, testable, falsifiable hypotheses about what an adversary or malware could be doing in *your* environment. Then you try to *disprove* that hypothesis to a reasonable certainty using the correct sources in your environment.
Threat hunting exists to *detect things that signatures and static IOCs can’t* in routine monitoring. It’s how we detect new activity and target human efforts to detect what machines can’t detect well. So routine monitoring and IR capability comes first!
It’s absolutely positively 💯% fine to just be building your asset inventories or monitoring and detection capability or running IOC sweeps right now! Do those things first! Get those in place and threat hunting will come naturally.
I did a talk on this a WWHF this year and I hope it’s posted soon...
You can follow @hacks4pancakes.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.