Maybe when everyone is born, he thinks that the world exists for him alone. When he finds out that he is wrong, he starts to grow up.
If you take less detours, you will miss the scenery. Anyway, thank you for the experience.
Notice of transfer of publishing platform: New articles will no longer be published on the CSDN blog, please move to Knowledge Planet
Thank you all for your continued attention and support to my CSDN blog, but I have decided not to publish new articles here. In order to provide you with better services and more in-depth exchanges, I have opened a knowledge planet, which will provide more in-depth and practical technical articles. These articles will be more valuable and can help you better solve practical problems. question. Looking forward to you joining my knowledge planet, let us grow and progress together
The Auto Threat Hunting column is updated regularly. For the latest content of this article, please go to:
Please ignore the content of this article...
0x01 Threat Hunting Tip 1: Understand what is normal in your environment and you will be able to spot anomalies more easily
Too many businesses try to jump into the abyss of threat hunting (a recipe for chasing squirrels and rabbits with little success) without understanding their environment. Threat hunting is ultimately the practice of searching for unknown elements in an environment, so it is critical to understand what is “normal business” versus “suspicious” or even “malicious”
To understand the environment, make sure you have as much information as possible, including network diagrams, previous incident reports, and any other documentation you can get your hands on, and make sure you have network and endpoint level logs to support your hunt
0x02 Threat Hunting Tip 2: When setting up a hunt, start with the general and then move on to the specific, based on your assumptions. By doing this, you create context and understand what you are looking for in the environment
When setting up a hunt, start with the general and then move to the specific, based on your assumptions. By doing this, you create context and understand what you are looking for in the environment
When threat hunters first come to the fore in structured threat hunting, many of them struggle to formulate their first hypotheses. The reason many people find this process challenging is often that they are trying to be a little too specific. Rather than jumping straight into the details, try to be more general in your assumptions first. By doing this, you'll better shape your hunt and add additional contextual information in the process
0x03 Threat Hunting Tip 3: Sometimes it’s better to hunt things you understand and know and then visualize, rather than hunting things outside your expertise and try to visualize things you know
Sometimes it works better to hunt on things you understand and know, and then visualize, than to hunt on things outside your expertise and try to visualize onto things you know.
One of the most common challenges new hunters encounter is that it’s easy to get out of trouble quickly. Not every information security professional is an expert in all areas, and the same is true when it comes to threat hunting
Whether you are, just starting out, or have been hunting for some time, the same advice holds true: hunt for things you understand, and then mine that data through visualization. This ensures you understand what you are looking at and allows you to make sense of the data and understand how you got there
If, trying to hunt on data you don't understand, you are more likely to gravitate towards data you understand and visualize it, which may or may not actually lead to meaningful and valuable hunting
0x04 Threat Hunting Tip 4: Not all assumptions will succeed and sometimes they may fail. But don't be discouraged, go back and test it again
Unlike things like threat protection and threat detection, threat hunting is far from a sure thing. In fact, the very nature of threat hunting means you are looking for the unknown. Because of this, not every hypothesis you hunt will be successful. In fact, most hunters know that while they may spend hours digging down the rabbit hole they find, that hole is more likely to lead to a power user using PowerShell to save some time than to someone who wants to encrypt Advanced attackers of your domain controllers
Don't let these moments get you down! Document your findings and don't let it burden you. Document your findings, don't get discouraged, and keep hunting. In the long run it will pay off
0x05 Threat Hunting Tip 5: Understanding your toolset and its data capabilities is just as important as executing your hunt. If you don’t verify that the expected data is present in your tool, false positives are lurking around every corner
Although, almost everyone in the IT field understands that every tool and technology is different and has specific limitations. But sometimes security personnel (especially threat hunters), may take this for granted
One of the most important concepts about "knowing your technology" is understanding what it is capable of, and what its limitations are. If you rush forward without understanding, you are likely to produce false positive results and give the security team a false sense of security.
Before building your hunting system, it’s crucial to test and validate your search queries to ensure they return the results you expect.
Reference links :
https://blog.csdn.net/Ananas_Orangey/article/details/129491146
You think you have many paths to choose from, but in fact you only have one path to take