Compromise Assessment vs Threat Hunting
Many people use the terms - compromise assessment and threat hunting interchangeably.
For the same, well to clear it out both are different! How and in what sense, let's take a dig at:
A compromise assessment is a high-level review of the organization that does not rely on a limited scope to find out if they are compromised.
Performing such assessment helps establish that if a baseline is enough apart from highlighting the risks associated with a compromise not being effectively communicated to senior/executive leadership within your organization.
Coming to threat hunting, this is a more mature assessment targeted to identify objectives such as (espionage, pivoting, data exfiltration, etc.) targeting your organization.
Where Does Threat Hunting Fit?
Threat hunting is highly complementary to the standard
process of incident detection, response, and remediation. As security
technologies analyze the raw data to generate alerts, threat hunting is working
in parallel – using queries and automation – to extract hunting leads out of
the same data.
Hunting leads are then analyzed by human threat hunters, who
are skilled in identifying the signs of adversary activity, which can then be
managed through the same pipeline. This process is illustrated below:
Threat Hunting Steps
Threat hunting follows a general three-phased approach:
·
Trigger- Identify TTPs
· We start with a trigger- which essentially refers to a specific system area of the network for further investigation where unusual actions are identified. This leads to proactive hunting example looking for file-less malware that attempted to evade existing defenses.
Post analyzing triggers, the threat hunter will leverage logs from EDR (Endpoint Detection and Response) to analyze the further compromise of a system and identify the malicious behavior has been created.
Investigation- Investigate based on known Indicators
of Compromises
Indicators of compromise (IOCs) revolve around the analysis of data found in system log entries or files, that identify potentially malicious activity on a system or network. Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident.
Some examples include:
- Abnormal Network Traffic
- Suspicious Privileged User Account Activity
- Suspicious Port-Application Traffic
- Suspicious Registry or file level changes
- Unusual DNS Requests
· Reporting
The final phase will be reporting. This includes communicating relevant malicious activities to security teams for mitigating threats.
Comments
Post a Comment