1
00:00:06,660 --> 00:00:07,930
- By now you already know

2
00:00:07,930 --> 00:00:10,879
that there are no products
or security technologies

3
00:00:10,879 --> 00:00:15,099
in the world that can detect
and block all security threats

4
00:00:15,099 --> 00:00:18,640
in this continuously
evolving threat landscape.

5
00:00:18,640 --> 00:00:20,860
Regardless of the vendor, regardless

6
00:00:20,860 --> 00:00:23,700
of how expensive this technology is.

7
00:00:23,700 --> 00:00:26,500
And this is why many
organizations are tasking

8
00:00:26,500 --> 00:00:30,528
their senior analyst in their
security operations center

9
00:00:30,528 --> 00:00:34,299
or in their computer security
instant response team, to hunt

10
00:00:34,299 --> 00:00:37,930
for threats that may have
actually bypassed any

11
00:00:37,930 --> 00:00:41,288
security controls that are in
place within the organization.

12
00:00:41,288 --> 00:00:45,709
This is why this concept
of threat hunting assist

13
00:00:45,709 --> 00:00:49,030
and threat hunting in short is the act

14
00:00:49,030 --> 00:00:53,700
of basically proactively looking
for threats and searching

15
00:00:53,700 --> 00:00:56,590
through the organization
to discover, you know

16
00:00:56,590 --> 00:00:58,690
if any of these threats
actually could have been

17
00:00:58,690 --> 00:01:02,180
bypassing your security
controls, your security products

18
00:01:02,180 --> 00:01:04,088
your security technologies
out there, right?

19
00:01:04,088 --> 00:01:06,950
And whenever I mention no
products, that means no firewalls

20
00:01:06,950 --> 00:01:09,568
no intrusion prevention systems or IPS.

21
00:01:09,568 --> 00:01:14,500
No data loss prevention
systems, no cloud service

22
00:01:14,500 --> 00:01:16,330
that will be perfect, right?

23
00:01:16,330 --> 00:01:20,580
And it will be able to detect
and blocked all these threats

24
00:01:20,580 --> 00:01:22,640
that we actually seeing nowadays right.

25
00:01:22,640 --> 00:01:25,830
Now, starting with this hunting process.

26
00:01:25,830 --> 00:01:28,390
One thing that I want to
highlight is that, you know

27
00:01:28,390 --> 00:01:30,740
at the end of the day, you
know, I cannot sugar coat it,

28
00:01:30,740 --> 00:01:32,990
it actually requires a deep knowledge of

29
00:01:32,990 --> 00:01:36,750
the network and it's often
performed by SOC analyst.

30
00:01:36,750 --> 00:01:37,990
So whenever I say SOC, you know

31
00:01:37,990 --> 00:01:40,720
the security operations center
analyst that might be in

32
00:01:40,720 --> 00:01:43,461
in a, you know, in an
escalation tier, right?

33
00:01:43,461 --> 00:01:46,410
Typically a SOC or a
security operation center

34
00:01:46,410 --> 00:01:48,752
is divided into three different tiers.

35
00:01:48,752 --> 00:01:52,952
Tier one where the junior
analyst reside a mid-level

36
00:01:52,952 --> 00:01:57,203
to senior analyst, you
know, tier tier two.

37
00:01:57,203 --> 00:01:59,211
And then the top tier or

38
00:01:59,211 --> 00:02:03,720
a tier three senior security analyst.

39
00:02:03,720 --> 00:02:08,409
That top tier is where typically
threat hunting resides.

40
00:02:08,409 --> 00:02:12,670
However, that all depends
on the organization and

41
00:02:12,670 --> 00:02:15,730
how the organization, you know,
how big the organization is.

42
00:02:15,730 --> 00:02:18,140
Number one, how is it structure?

43
00:02:18,140 --> 00:02:20,110
Right? And in some cases, actually

44
00:02:20,110 --> 00:02:23,930
large corporations may
have a separate team to

45
00:02:23,930 --> 00:02:26,789
perform threat hunting, just
dedicated for threat hunting.

46
00:02:26,789 --> 00:02:30,900
You know, even outside of the
analyst that traditionally are

47
00:02:30,900 --> 00:02:33,269
in the security operations center.

48
00:02:33,269 --> 00:02:35,220
Now threat hunters assume

49
00:02:35,220 --> 00:02:37,499
that an attacker has already
compromised the network, right?

50
00:02:37,499 --> 00:02:40,350
Subsequently they actually need to come

51
00:02:40,350 --> 00:02:44,540
up with some hypothesis of
what is actually compromised

52
00:02:44,540 --> 00:02:47,057
how the adversary could have
been performing the attack.

53
00:02:47,057 --> 00:02:51,560
What are the tactics,
techniques, and procedures?

54
00:02:51,560 --> 00:02:55,160
What we call TTPs that
modern attackers use to

55
00:02:55,160 --> 00:02:58,110
bypass those security controls.

56
00:02:58,110 --> 00:03:02,190
This is why many organizations
are actually using things

57
00:03:02,190 --> 00:03:05,350
like the MI attack framework
to be able to learn

58
00:03:05,350 --> 00:03:08,850
about the tactics and
techniques of adversaries.

59
00:03:08,850 --> 00:03:12,397
And in short, the MI attack
framework covers those tactics

60
00:03:12,397 --> 00:03:14,613
and techniques that attackers use

61
00:03:14,613 --> 00:03:16,860
in real life attacks, right?

62
00:03:16,860 --> 00:03:18,910
If it is in the minor attack framework

63
00:03:18,910 --> 00:03:21,640
it has happened in the real world.

64
00:03:21,640 --> 00:03:22,563
It's not a hypothesis.

65
00:03:22,563 --> 00:03:24,210
It's not a theory.

66
00:03:24,210 --> 00:03:25,210
These are the tactics

67
00:03:25,210 --> 00:03:27,940
and techniques that attackers are actually

68
00:03:27,940 --> 00:03:30,853
are using to compromise organizations.

69
00:03:31,750 --> 00:03:35,120
Now, threat hunting is not
the same as the traditional

70
00:03:35,120 --> 00:03:38,574
SOC incident response activities, right?

71
00:03:38,574 --> 00:03:41,644
Also it is not the same as
vulnerability management

72
00:03:41,644 --> 00:03:43,693
which is a process of
patching vulnerabilities

73
00:03:43,693 --> 00:03:45,820
assessing your network

74
00:03:45,820 --> 00:03:48,870
and your systems, including
cloud-based applications.

75
00:03:48,870 --> 00:03:52,090
In some cases to, you
know, remediate some type

76
00:03:52,090 --> 00:03:53,470
of vulnerabilities.

77
00:03:53,470 --> 00:03:55,030
In this case, you know,

78
00:03:55,030 --> 00:03:58,460
what the threat hunting process it does is

79
00:03:58,460 --> 00:03:59,940
that you come up with a hypothesis.

80
00:03:59,940 --> 00:04:01,041
As I mentioned to you before

81
00:04:01,041 --> 00:04:05,473
typically the hypothesis
is created using some type

82
00:04:05,473 --> 00:04:07,759
of information, some type of assumption.

83
00:04:07,759 --> 00:04:09,500
And in many cases

84
00:04:09,500 --> 00:04:12,940
that type of information is
threat intelligence, right?

85
00:04:12,940 --> 00:04:15,880
Probably you subscribing
to a threat intelligence

86
00:04:15,880 --> 00:04:19,570
feed that can potentially give
you somewhat of an insights.

87
00:04:19,570 --> 00:04:22,092
What attackers are actually
doing in other organizations

88
00:04:22,092 --> 00:04:26,720
and potentially how to detect
the indicators of compromise

89
00:04:26,720 --> 00:04:28,210
how to manipulate your systems

90
00:04:28,210 --> 00:04:31,710
to be able to hunt, you
know, for those threats.

91
00:04:31,710 --> 00:04:33,460
And so on right.

92
00:04:33,460 --> 00:04:36,140
Now, threat hunting is not a new concept.

93
00:04:36,140 --> 00:04:38,290
Many organizations have
performed threat huntings

94
00:04:38,290 --> 00:04:39,810
for a long time.

95
00:04:39,810 --> 00:04:41,980
However, in the last decade

96
00:04:41,980 --> 00:04:44,300
or so many organizations have recognized

97
00:04:44,300 --> 00:04:47,800
that they either have to
implement a threat hunting program

98
00:04:47,800 --> 00:04:51,037
or enhance their assisting
program to better

99
00:04:51,037 --> 00:04:53,800
defend their organizations, right.

100
00:04:53,800 --> 00:04:57,210
Now, there's no sites fits
all threat hunting process.

101
00:04:57,210 --> 00:04:59,978
However, there are several
common best practices

102
00:04:59,978 --> 00:05:02,618
among mature organizations

103
00:05:02,618 --> 00:05:07,210
on how to perform this
threat hunting process.

104
00:05:07,210 --> 00:05:09,250
First you come up with a hypothesis.

105
00:05:09,250 --> 00:05:11,370
And as I mentioned, you can be
based on threat intelligence

106
00:05:11,370 --> 00:05:16,370
some internal anomaly, or
by just plain intuition.

107
00:05:17,010 --> 00:05:20,150
Then you use tools and methodologies
to investigate you move

108
00:05:20,150 --> 00:05:22,290
into hopefully, you know

109
00:05:22,290 --> 00:05:25,170
revealing those new patterns and tactics

110
00:05:25,170 --> 00:05:28,296
and techniques and procedures
that TTPs from the attackers.

111
00:05:28,296 --> 00:05:31,058
And then, you know,
hopefully you find the threat

112
00:05:31,058 --> 00:05:33,530
and you are able to remediate a threat

113
00:05:33,530 --> 00:05:35,880
and you refine and enrich, you know

114
00:05:35,880 --> 00:05:38,390
the reporting using
different types of analytics.

115
00:05:38,390 --> 00:05:41,210
And of course you get that outcome, right?

116
00:05:41,210 --> 00:05:42,530
And the lessons learned from it

117
00:05:42,530 --> 00:05:45,740
and you feed it back to your
incident response process.

118
00:05:45,740 --> 00:05:48,660
So you can actually learn
on how in the future

119
00:05:48,660 --> 00:05:52,570
you can catch those threats
before it, of course, you know

120
00:05:52,570 --> 00:05:56,453
passes your security controls
and your security monitoring.

121
00:05:57,320 --> 00:05:59,220
Now, the last thing
that I want to cover is

122
00:05:59,220 --> 00:06:01,490
that you can measure the maturity

123
00:06:01,490 --> 00:06:02,830
of your threat hunting program

124
00:06:02,830 --> 00:06:05,560
within the organization
in many ways, but here

125
00:06:05,560 --> 00:06:09,119
I'm showing a high level
matrix that can be used to

126
00:06:09,119 --> 00:06:12,300
evaluate the maturity
level of your organization

127
00:06:12,300 --> 00:06:15,470
against different high level
threat hunting elements.

128
00:06:15,470 --> 00:06:18,660
And as you see here, basically
you have a threat hunting

129
00:06:18,660 --> 00:06:21,210
high level elements on the left

130
00:06:21,210 --> 00:06:23,760
and the threat hunting maturity level

131
00:06:23,760 --> 00:06:27,048
across the top, across the,
the matrix here from initial

132
00:06:27,048 --> 00:06:30,286
or minimal that you basically
are just getting started

133
00:06:30,286 --> 00:06:33,870
with threat hunting or level three

134
00:06:33,870 --> 00:06:35,859
which is an innovative right

135
00:06:35,859 --> 00:06:38,160
or what we call the leading level.

136
00:06:38,160 --> 00:06:40,930
And to the fact that you
are, you have a really

137
00:06:40,930 --> 00:06:44,344
good mature process to
perform threat intelligence.

138
00:06:44,344 --> 00:06:48,516
And if you look down the list,
especially in level three

139
00:06:48,516 --> 00:06:51,720
you see the word automation a lot

140
00:06:51,720 --> 00:06:55,456
because automation is
crucial for instant response

141
00:06:55,456 --> 00:06:58,125
for threat hunting, for
vulnerability management

142
00:06:58,125 --> 00:07:03,125
and all the security operations
within your organization.

143
00:07:03,490 --> 00:07:06,430
So again, you know,
this is just a reference

144
00:07:06,430 --> 00:07:08,800
you know, again, you can
actually measure the maturity

145
00:07:08,800 --> 00:07:11,710
of your threat hunting
program in many different ways

146
00:07:11,710 --> 00:07:13,945
but this one is a very easy way to,

147
00:07:13,945 --> 00:07:16,610
to basically even look at trends.

148
00:07:16,610 --> 00:07:20,608
If your threat hunting process
is, you know, maturing enough

149
00:07:20,608 --> 00:07:23,863
and you can actually claim
some success in some areas.