Becoming a leader: an inside look at an advanced threat hunting program

01:50  Presenter Introduction

03:06  Webinar Agenda

03:58  Recap of Webinar Series

05:17  Part 1: Automation

06:20  Data Analysis Process

07:35  “You can automate parts that don’t require a lot of human cognition.” -Tony

10:20  “[ATT&CK] is a great measurement and roadmap tool just to make sure you are collecting the right data even if you haven’t figured out how to operationalize it yet.”-Keith

10:36  “To be able to automate, you have to have some sort of data in front of you to give context.”-Brian

11:53  Implementation

14:17  “Having a really wide set of results that may or may not be applicable inside of an organization, suppressing what’s good, and continuing looking through what’s left. That’s absolutely a hallmark of a really effective program.” -Keith

15:15 Part 2: Improving Outcomes

16:18  Operationalized Hunting

16:20  “Formalizing that hunting process so that you can just plug in new tools and new layers of visibility into your process is key for keeping a good program running and integrating new tools effectively.” -Brendan

19:30  Measure Operational Impact

20:03  “It’s important that when you’re considering these programs, that you are thinking proactively about the metrics and what visibility you need to give to your stakeholders.” -Brendan

24:40 Part 3: Stories From The Field

24:45  Case Study 1: Mergers & Acquisitions

25:47  “The biggest disadvantage of that is that you lose all context. Your mature hunting team, your environment, your systems, and your applications. You know nothing about this brand new network.” -Brian 

29:10  “This becomes very interesting in an outbreak scenario such as emotet.” -Tony

30:16  “When you’re looking for events, it’s actually events that happened prior to endpoint visibility occurring.” -Brian

34:45  Case Study 2: ATM Attacks

35:55  “If we didn’t have a mature threat hunting program with automation and visibility, this could be very difficult for us to respond to.” -Brendan

37:53  “I have always been a huge advocate for whitelisting. To me, that’s where you start because I need that visibility and I want that control, but it doesn’t stop there.” -Brendan 

40:15  “Response is built for visibility first and foremost. Defense is built for blocking stuff and it gives you visibility.” -Brenden 

43:00  Coin Mining & Hunt Resiliency

43:56  “We ended up having to hunt for trusted processes that were exhibiting this behavior.” -Tony 

44:43  “Traditionally, this would be an unsigned, malicious binary.” -Tony 

45:14  “The key for us is not to have a process that is so well defined or have a hunt that is so well defined that we can’t modify it. It’s okay to take a process that you have and change it if that change serves you.” -Tony

48:21 Questions and Answers

48:28  Question 1: For an organization of around 250 people who doesn’t have dedicated resources to do this, How do you go about finding time to wedge hunting into your program? Which partners do you select, if any?

49:00  “You need to take a look and prioritize and see what are the wins I can get in my organization where I can eliminate classes of threats or bring in vendors or technologies that really move my team forward without a lot of head count.” -Brenden

50:00  Question 2: How deep should the threat hunting team go once they effectively have a lead?

51:45  “You need to at least identify that this is bad news, and then the severity of the badness.” -Brian 

52:20  Question 3: What does the decision tree look like operationally for you?

55:26  “The decision tree really comes down to what is all the context surrounding the alert.” -Tony

56:20  Question 4:How do you sort that stuff out and prioritize?

57:41  “Just doing basic prevalence checks of typical activity in your environment.” -Brian

59:08 Wrap Up & ATT&CKcon