Looking at all the high ports used, for example, and look for ones with more volume. The first numerical element to look at is volume.Īn example of this hunt could be in your firewall logs. Because of this, it is good to look at numerical elements of the data to give yourself a starting point. We have covered the difference before, but needless to say unstructured hunting is data intensive. One of the first methods that analysts can learn, on how to threat hunt, are unstructured hunts. These hunts will expand your structured and unstructured repertoire, and can serve as inspiration for other hunts as well. So, after sitting down with our hunt team and putting our heads together, we’ve come up with 30 hunts to try out. There are, unfortunately, fewer resources on more general ideas that analysts can use for inspiration. They have, and these are great.īut these tomes are often aimed at a specific technique or hunt. Now, this isn’t to say that the community hasn’t produced howtos and other documents. One of the questions I get asked almost every week is some variation of “… but how do I threat hunt?” By this, what they often mean is, there are tons of articles on threat hunting strategies, but there aren’t as many resources aimed at analysts on how to threat hunt.
0 Comments
Leave a Reply. |