Learn how to take your threat hunting to the next level.
Using real-world examples from the field, this panel session hosted by Keith McCammon provides a behind-the-scenes look at three organizations’ threat hunting programs. Learn how advanced security teams implement threat hunting concepts to drive better security outcomes.
Ideal for:
- All security professionals
- Hunting Maturity Model (HMM): Level 3-4
- Technical depth: intermediate to advanced
01:50 Presenter Introduction
03:06 Webinar Agenda
03:58 Recap of Webinar Series
05:17 Part 1: Automation
06:20 Data Analysis Process
07:35 “You can automate parts that don’t require a lot of human cognition.” -Tony
10:20 “[ATT&CK] is a great measurement and roadmap tool just to make sure you are collecting the right data even if you haven’t figured out how to operationalize it yet.”-Keith
10:36 “To be able to automate, you have to have some sort of data in front of you to give context.”-Brian
11:53 Implementation
14:17 “Having a really wide set of results that may or may not be applicable inside of an organization, suppressing what’s good, and continuing looking through what’s left. That’s absolutely a hallmark of a really effective program.” -Keith
15:15 Part 2: Improving Outcomes
16:18 Operationalized Hunting
16:20 “Formalizing that hunting process so that you can just plug in new tools and new layers of visibility into your process is key for keeping a good program running and integrating new tools effectively.” -Brendan
19:30 Measure Operational Impact
20:03 “It’s important that when you’re considering these programs, that you are thinking proactively about the metrics and what visibility you need to give to your stakeholders.” -Brendan
24:40 Part 3: Stories From The Field
24:45 Case Study 1: Mergers & Acquisitions
25:47 “The biggest disadvantage of that is that you lose all context. Your mature hunting team, your environment, your systems, and your applications. You know nothing about this brand new network.” -Brian
29:10 “This becomes very interesting in an outbreak scenario such as emotet.” -Tony
30:16 “When you’re looking for events, it’s actually events that happened prior to endpoint visibility occurring.” -Brian
34:45 Case Study 2: ATM Attacks
35:55 “If we didn’t have a mature threat hunting program with automation and visibility, this could be very difficult for us to respond to.” -Brendan
37:53 “I have always been a huge advocate for whitelisting. To me, that’s where you start because I need that visibility and I want that control, but it doesn’t stop there.” -Brendan
40:15 “Response is built for visibility first and foremost. Defense is built for blocking stuff and it gives you visibility.” -Brenden
43:00 Coin Mining & Hunt Resiliency
43:56 “We ended up having to hunt for trusted processes that were exhibiting this behavior.” -Tony
44:43 “Traditionally, this would be an unsigned, malicious binary.” -Tony
45:14 “The key for us is not to have a process that is so well defined or have a hunt that is so well defined that we can’t modify it. It’s okay to take a process that you have and change it if that change serves you.” -Tony
48:21 Questions and Answers
48:28 Question 1: For an organization of around 250 people who doesn’t have dedicated resources to do this, How do you go about finding time to wedge hunting into your program? Which partners do you select, if any?
49:00 “You need to take a look and prioritize and see what are the wins I can get in my organization where I can eliminate classes of threats or bring in vendors or technologies that really move my team forward without a lot of head count.” -Brenden
50:00 Question 2: How deep should the threat hunting team go once they effectively have a lead?
51:45 “You need to at least identify that this is bad news, and then the severity of the badness.” -Brian
52:20 Question 3: What does the decision tree look like operationally for you?
55:26 “The decision tree really comes down to what is all the context surrounding the alert.” -Tony
56:20 Question 4:How do you sort that stuff out and prioritize?
57:41 “Just doing basic prevalence checks of typical activity in your environment.” -Brian
59:08 Wrap Up & ATT&CKcon