Fastest 2 Minutes in SecOps (Threat Hunting Part 2)

John Stoner: There are a couple of different ways to approach a hunt. One method is to approach your hunt from the perspective of the victim, not a specific individual, but think about the crown jewels within the organization that might be targeted and how might an adversary attempt to gain access to these jewels. Another idea would be to identify some recent pain points encountered based on red team assessments or security incidents and hunt for additional activity related to these events and attempt to uncover additional findings. If a red team uncovered a finding, chances are an adversary may as well. Another approach is to focus on adversary capabilities. Using a framework like MITRE ATT&CK can be valuable to generate ideas around conducting hunts for specific techniques and sub techniques. That said, it is important to understand that many adversary techniques are also used during normal operations, so not all scheduled tasks are a bad thing. Hunting should be conducted on a regular basis, but be careful when you plan to perform these hunts. If a hunt is scheduled for Friday afternoon and an incident is declared based on the findings, it may create havoc with a lot of folks' plans. During these hunts, make sure to focus, establish a scope, both in time and systems. Subsequent hunts to go further could always be undertaken. Hunters will get tired, and diminishing returns are a real thing, which is why building hunting into a regular cadence can be a great idea. I like to contextualize hypothesis- driven hunting in the structure of the scientific method, Determine what problem we are trying to solve, develop a hypothesis, experiment, document our findings, and refine from there. Even if we don't find anything in our hunt based upon the hypothesis we developed, we have still learned something.