Threat Hunting Maturity Model Overview

Questions and Answers

What does the Threat Hunting Maturity Model (HMM) primarily assess?

• The quantity and quality of information collected for investigation (correct)
• The complexity of threat intelligence sources
• The number of security breaches prevented
• The cost-effectiveness of threat hunting tools

Which level of the Threat Hunting Maturity Model is characterized by the creation of custom data analysis procedures?

• Level 0: Initial
• Level 3: Innovative (correct)
• Level 1: Minimal
• Level 2: Procedural

What is the purpose of intelligence fusion in cyber threat management?

• To automate the response to threats
• To integrate various cybersecurity intelligence sources (correct)
• To enhance communication within security teams
• To evaluate the efficacy of threat hunting tools

Which type of threat intelligence focuses on high-level information about changing risks?

Strategic (C)

What is a common characteristic of threat feeds?

They offer real-time information collected from current attacks. (D)

In the context of the Threat Hunting Maturity Model, what does Level 4: Leading refer to?

Automating existing data analysis procedures (D)

Which group primarily consumes tactical threat intelligence?

IT Service and SOC Managers (D)

Which level of the Threat Hunting Maturity Model has low data collection and relies mainly on automated alerts?

Level 0: Initial (B)

What is a defining characteristic of prescient hunting in threat hunting?

Identifying imminent threats before alerts are generated (A)

Which step is NOT part of the threat hunting process?

Perform a vulnerability scan (C)

What is one key benefit of penetration testing?

It identifies potential security weaknesses (B)

Which of the following typically does NOT contribute to effective vulnerability assessment?

Outdated software tools (D)

In ethical hacking, what is the primary objective of conducting a penetration test?

To identify and remediate security vulnerabilities (A)

Which aspect of configuration management is most important for maintaining security?

Using best practices for documentation and controls (A)

What role does hypothesis play in threat hunting?

It guides the investigation and data analysis (B)

Which of the following best describes the 'following traces' step in threat hunting?

Analyzing compromised systems for attacker footprints (D)

What role does AI play in threat hunting?

AI enhances the identification and response to threats across networks. (D)

Which platform is primarily used for sharing and correlating Indicators of Compromise (IoCs)?

MISP-Open Source Threat Intelligence Platform (A)

What is one of the benefits of using AI-backed predictive analysis in cybersecurity?

It helps security teams to take proactive measures against potential threats. (A)

Which of the following describes the MISP threat intelligence platform’s main function?

It shares, stores, and correlates Indicators of Compromise. (B)

In the context of ethical hacking, what is the primary focus of penetration testing?

Finding and exploiting vulnerabilities in a system or network. (C)

Which of the following types of assessments is primarily concerned with identifying security flaws in systems?

Vulnerability Assessments (B)

What is a common misconception about the use of AI in cybersecurity?

AI can fully replace human security professionals. (C)

What does the term 'attack surface' refer to in cybersecurity?

The various points where an unauthorized user can try to enter or extract data. (D)

Flashcards are hidden until you start studying

Study Notes

Threat Hunting Maturity Model (HMM)

• The HMM describes the amount and quality of information collected from a network for investigation.
• Level 0: Initial
  • Primarily relies on automated monitoring systems and alerts
  • Low data collection
• Level 1: Minimal
  • Follows the latest threat reports
  • Moderate to high-level routine data collection
• Level 2: Procedural
  • Adopts data analysis procedures created by others.
  • High to very-high-level routine data collection
• Level 3: Innovative
  • Creates custom data analysis procedures
  • High to very-high-level routine data collection
• Level 4: Leading
  • Automates existing data analysis procedures
  • High to very-high-level routine data collection

Threat Hunting Considerations

• Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources.
• Threat feeds are real-time feeds collected from real-time attacks. These feeds include Indicators of Compromise (IoCs), Indicators of Attack (IoAs), potential threats, vulnerabilities, and existing risks.
• Advisories and bulletins are informative blogs or websites that provide information about the latest security threats and attacks.
• Maneuver is a technique used in cyber warfare based on knowledge of some recent attacks and the nature of those attacks.

Cyber Threat Intelligence (CTI)

• Is the collection and analysis of information about threats and adversaries, used to make decisions for preparedness, prevention, and response to cyberattacks.
• Helps organizations identify and mitigate business risks by converting unknown threats into known threats and implementing advanced and proactive defense strategies.

Types of Threat Intelligence

• Strategic: High-level information on changing risks. Consumed by High-Level Executives and Management.
• Tactical: Information on attacker’s tactics, techniques, and procedures (TTPs). Consumed by IT Service and SOC Managers, Administrators.
• Operational: Information on specific incoming attack. Consumed by Security Managers, Network Defenders.
• Technical: Information on specific indicators of compromise. Consumed by SOC Staff, IR Teams.

Module Objectives

• Understanding Threat Hunting Concepts
• Understanding Cyber Threat Intelligence and Various Feeds and Sources of Threat Intelligence
• Understanding Vulnerability Assessment and Various Types of Vulnerability Assessment
• Understanding Ethical Hacking Concepts
• Understanding Penetration Testing and its Benefits
• Understanding the Importance of Asset Management and Configuration Management

Module Flow

• Discuss Threat Hunting
• Discuss Various Threat Intelligence Feeds and Sources
• Discuss Vulnerability Assessment
• Discuss Ethical Hacking Concepts
• Understand Fundamentals of Penetration Testing and its Benefits
• Understand the Fundamentals of Configuration Management and Asset Management

Threat Hunting

• A proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate cyber threats that have evaded current security systems.

Threat Hunting Steps

• Collect and process: Collect and analyze data using threat intelligence
• Hypothesis: Make assumptions using TTPs
• Trigger: Based on the hypothesis, threat-detection tools trigger an anomaly.
• Investigation: Investigate malicious files/activities to eliminate the identified threats
• Response: Generate a report for future detection

Characteristics of Threat Hunting

• Prescient hunting: Identifies all imminent threats, instead of simply relying on alerts generated by security monitoring tools.
• Trusting the hypothesis: Analyzes all data, conducts an investigation based on the hypothesis, and creates a new rule based on their findings.
• Following traces: Analyzes compromised systems and traces left by attackers in a network.
• Creating new methods: Stays ahead of attackers by creating new rules.
• ExoneraTor: https://metrics.torproject.org
  • Freenet: https://freenetproject.org
  • GNUnet: https://gnunet.org
  • I2P: https://geti2p.net
  • OneSwarm: http://www.oneswarm.org

AI and Predictive Analysis for Threat Hunting

• Attackers use diverse and distributed mechanisms to evade existing security boundaries.
• AI-based correction of cyber threat intelligence, security intelligence, and predictive analysis can help organizations identify threats across every attack surface within their network.

Artificial Intelligence (AI) and Machine Learning (ML)

• AI/ML enhances opportunities to respond to security incidents quickly.
• Using AI and ML for threat hunting can reduce the time required for hunting, analyzing, and responding to threats

AI-backed Predictive Analysis

• By performing predictive analysis through AI-backed intelligence, reactive measures can be taken in advance, enabling security teams to be ahead of attackers.

Threat Intelligence Frameworks

• MISP-Open Source Threat Intelligence Platform: Used for sharing, storing and correlating Indicators of Compromise (IoCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information etc.
• OSINT - Cisco IOS CVE-2018-0171 attack:
  • Event ID: 10683
  • Uuid: Sac8cee2-2a78-4237-8830-d0b802de0b81
  • Org: CIRCL
  • Owner org: CIRCL
  • Contributors: [email protected]
  • Email:
  • Tags: tipawhite x Circliosint-feed x estimative-language:likelihood-probability="roughly-even-chance" x estimative-language:confidence-in-analytic-judgment="moderate" x cyber-threat-framework:Effect/Consequence="destroy-hardware-software-or-data" 3
  • Date: 2018-04-07
  • Threat Level: Medium
  • Analysis: Completed
  • Distribution: All communities
  • Info: OSINT Cisco IOS CVE-2018-0171 attack
  • Published: Yes
  • Attributes: 14
  • Last change:
  • Extends: 2018/04/17 05:16:30
  • Extended by: Event (10701): Constituency affected with CVE-2018-0171
  • Sightings: 0 (0)
  • Activity: Currently in atomic view.