Threat Hunting Basics


Sometimes we don't want to sit around and wait to get an alert from our ant-virus or worse, a phone call saying we've been ransomwared and the bad guys have been on our network for weeks.

To avoid this, there is a proactive approach known as "threat hunting" where the defenders go out into their own network, look through logs, and try to find evil.

As this is their network, they can do a lot of things to increase visibility, as well as force attackers to be loud and do distinctly attacker-ish actions. Perhaps most importantly, defenders have home team advantage and can check for changes and new happenings across their logs, which might alert them to bad things that are going on. Because they "know normal", it's easier for them to "find evil".

People always say you should hunt with a threat in mind rather than "boiling the ocean", but both approaches have their benefits. We'll check them out as we go.

Read this:

Last modified: Sunday, 20 June 2021, 8:40 PM