Section 24.229 Threat Hunting

Question 1

Threat Hunting

Answer 1

Proactive cybersecurity technique to detect threats that haven’t been discovered by normal security monitoring

■ Involves actively seeking out potential threats within your network, as opposed to waiting for them to trigger alerts

Question 2

Steps in Threat Hunting

Establishing a Hypothesis

Answer 2

Conduct threat modeling to identify potential threats with high impact

● Use threat intelligence to form hypotheses about threat actors or
campaigns that may target your organisation

Question 3

Steps in Threat Hunting

Profiling Threat Actors and Activities

Answer 3

Create scenarios to understand how attackers might attempt an intrusion

● Determine the type of threat actor (insider, hacktivist, criminal, nation state)

● Identify their objectives and potential targets

Question 4

Steps in Threat Hunting

Threat Hunting Process

Answer 4

● Utilises security monitoring and incident response tools

● Analyses logs, system data, file systems, and registry information

● Focuses on finding threats not detected by existing rules

● Start by assuming that the current rules haven’t flagged potential threats

● Seeks new tactics, techniques, and procedures used by threat actors

Question 5

Key Considerations

Answer 5

■ Threat hunters must stay updated on the latest attacks and threats

■ Use advisories and bulletins published by vendors and researchers to identify new TTPs and vulnerabilities

■ Utilise intelligence fusion and threat data, combining SIEM logs with real-world threat feeds

Question 6

Benefits of Threat Hunting

Answer 6

■ Improves detection capabilities by identifying threats that bypass existing defenses

■ Enhances threat intelligence by correlating external threat feeds with internal logs

■ Provides actionable intelligence to strengthen security measures