Chapter 8 - 01 - Discuss Threat Hunting - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 1 - 02 - Define Threat Actors_Agents - 02_ocred.pdf
- Chapter 1 - 02 - Define Threat Actors_Agents - 03_ocred.pdf
- Chapter 8 - 01 - Discuss Threat Hunting - 01_ocred.pdf
- Chapter 8 - 01 - Discuss Threat Hunting - 02_ocred.pdf
- Chapter 8 - 01 - Discuss Threat Hunting - 02_ocred_fax_ocred.pdf
- Chapter 02 - Cybersecurity Threat Landscape.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Module Flow Discuss Threat Hunting...
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Copyright © by EC-C eil. All Rights Discuss Threat Hunting Threat hunting helps in counteracting the cyber threats with a systematic process and in detecting the most recent and sophisticated threats that have affected the organization’s network. It is important for organizations to employ a threat hunting process to prevent malicious actors from penetrating and remaining covertly in the network. This section discusses the threat hunting process, threat hunting maturity model, and threat hunting tools. Module 08 Page 1014 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Threat Hunting p Threat hunting is a proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate the cyber threats that have entered a network by evading the current security systems Threat Hunting Steps Collect and process: Collect and Investigation: Investigate malicious analyze data using threat intelligence files/activities to eliminate the identified threats Hypothesis: Make Trigger: Based on the hypothesis, threat- Response: Generate a assumptions using TTPs detection tools trigger an anomaly report for future detection Threat Hunting Threat hunting is a proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate the cyber threats that have entered a network by evading the current security systems. Threat hunting is performed by a threat hunter or security analyst by thorough research on existing indicators of compromise and advanced persistent threats across networks and devices. Security analysts track down attack attempts using threat hunting software or tools and eliminate hidden threats before they cause any damage to the assets. Steps of Threat Hunting Discussed below are the various steps involved in the threat hunting process. Collect and process: Collect and Investigation: Investigate malicious analyze data using threat intelligence files/activities to eliminate the identified threats Hypothesis: Make Trigger: Based on the hypothesis, threat- Response: Generate a assumptions using TTPs detection tools trigger an anomaly report for future detection Figure 8.1: Steps involved in the threat hunting process Module 08 Page 1015 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools = Step 1: Hypothesis The hypothesis is an idea or assumption regarding threats existing in the environment and ways to discover them. It includes the attacker’s TTP. Threat hunters use threat intelligence, together with all the available resources such as system and network logs and network flow, to identify threats. = Step 2: Collect and process the data To investigate the threats, hunters must collect and process accurate data and threat intelligence; this process requires a plan. Security information and event management (SIEM) software can help in tracking historical events and activities in the network. Threat hunters analyze the collected data using threat intelligence to identify malicious activities. = Step 3: Trigger Based on the hunter’s hypothesis, the threat detection tools may trigger an anomaly in the system or network, following which the investigation process begins. = Step 4: Investigation After finding the exact location of the anomaly, the threat hunters use threat detection tools such as endpoint detection and response (EDR) to diagnose the malicious behaviors in the network or system. The hunter can eliminate the identified threats only after thorough investigation of the malicious files/activities. = Step 5: Response/resolution If the hypothesis were confirmed, the malicious system is identified and isolated. The above steps can help in eliminating the malware and restoring the files. The identified information is labeled as a new mitigation technique/indicator of compromise and is added to the list for identifying similar threats in the future. Subsequently, analysts create a new rule for the threat, update the firewall/IPS, and make configuration changes accordingly. Module 08 Page 1016 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Types of Threat Hunting 9 o » [, Intel-driven Hunting. @ @ TTP-driven Hunting bfi 1 Data-driven Hunting ‘ ‘ Hybrid Hunting Types of Threat Hunting The threat hunting process begins with the analyst determining what they need to hunt. A series of planned and organized hunts can gather appropriate data, which can be used further to detect cyber threats effectively. There are different types of threat hunting methods, which help in discovering threats in advance: = Data-driven Hunting: Generating a hypothesis from observations is the initial step in hunting activities. It is a simple process of searching for what analysts can hunt from existing data. Organizations check DNS data and proxy logs for hunting. = Intel-driven Hunting: Threat intelligence data or feeds are potential sources to hunt for threats in advance. Enterprises should have different levels of trust in both intelligence feeds and utilities. = Entity-driven Hunting: Irrespective of the sizes of the network and administrative teams, enterprises are required to prioritize hunting operations to enhance the success rate. Attackers often target high-valued assets such as servers, privileged accounts, and domain controllers. Entity-driven hunting helps in initiating hunts over critical assets with high risk and protect network resources and other intellectual properties. = TTP-driven Hunting: To prevent attacks before they damage assets, organizations must understand or be aware of the tactics, techniques, and procedures (TTPs) and tools attackers employ to compromise networks or systems. It is also important to note where an attack has been initiated and how attackers achieve further goals. These techniques are also a part of threat hunting, through which a conceptual representation of tackling imminent issues is created. Module 08 Page 1017 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Hybrid Hunting: Hybrid hunting can be a combination of any of the above-mentioned hunting types that yields a productive output. For instance, a hunting process initiated based on intel about an attack can reveal what type of TTP an attacker can use and the type of assets an attacker can target, resulting in a combination of intel-, TTP-, and entity-driven hunting, which is a form of hybrid threat hunting. Characteristics of Threat Hunting Threat hunting is not confined to large enterprise networks. Even small and medium organizations implement it by applying the following characteristics. Prescient hunting: The prescient approach identifies all imminent threats, instead of simply relying on the alerts generated by security monitoring tools. Threat hunters presciently identify intruders before alerts are generated. Trusting the hypothesis: Rather than relying solely on the alerts generated by automated threat detectors, threat hunters analyze all the data, conduct an investigation based on the hypothesis, and create a new rule based on their findings. Following traces: It is a process of analyzing the compromised systems and traces left by attackers in a network. A threat hunter follows these traces and proceeds with their investigation, irrespective of its depth. Creating new methods: Threat hunters need not follow existing rules; they can stay ahead of attackers by creating new rules. Threat hunters can use their creativity and adopt relevant methods to attain their ultimate goal. Module 08 Page 1018 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
