Happy Threat Hunting

Thanks everyone for the encouraging comments on my first post and for taking the time to let me know it helped you out!  😁  Now for the next edition. Hunting is a form of detection. It's not monitoring, but it is detection. So let's take a quick look at creating a detection strategy and how it can include your hunt program. Use a Lifecycle for your Story Your detection strategy needs to create a story that your senior leadership can easily understand. The Mandiant Attacker Lifecycle always made more sense to me than the Lockheed Martin Cyber Kill Chain , so I am going to use that as the story for my strategy. Pick whichever lifecycle works for you. There is also the MITRE Attack Lifecycle . Mandiant Attacker Lifecycle For the sake of this post , I am going to say the lifecycle stage, Complete Mission, should be handled by DLP, backups (if mission objective is destructive), and encryption. Alerting You want to alert early in the lifecycle so you catch attackers

A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day. 5 Threat Hunting Models  I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models. ADVERSARY MODEL The Adversary Model is for creating hunts that target a specific adversary, for example APT 28 .  Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, do