Title of Session

Threat Hunting: Give detection & response a transformation

Summary of Session

Threat hunting is a buzzword which is often misused and misunderstood. While organizations vary in their definition of threat hunting, it is simply a proactive way to find advanced threats that have been designed to evade traditional preventive defenses, as well as automated detection capabilities – the last line of defense before data exfiltration occurs, if you will.
Threat hunting is different than monitoring, since it is carried out by a human analyst, despite relying heavily on automation and machine assistance. The analyst’s true goal is to determine an initial threat – or indicator – to hunt for and how that type of malicious activity can be found within the environment.

Threat hunting is achievable, and we will share some of the ways to get there. Tapping into high level technology is a great way to start.

Presenter Short Biography

Bret Kukard (CISSP) has been in the Middle East since 2015, helping customers prepare for attacks, and respond to breaches by leveraging skills and technologies available in the market.

Bret Kukard (CISSP) brings 23 years’ experience in computers, over 19 years’ experience in networks and systems, and over 10 years’ experience in various cybersecurity roles. With a consultative understanding of security challenges faced by modern organizations, he is a trusted advisor in selecting, defining and designing solutions to address customer security risks.

Learning Objectives

The skills shortage is taking its toll on proactive detection, especially where threat hunting is concerned. Threat hunting requires experienced analysts who have a very specific set of skills. It’s difficult to find threat hunters, let alone afford them. Generally, having an analyst with these skills is a luxury only 3-letter agencies or the fortune 500 can afford but this doesn’t mean threat hunting isn’t achievable for everyone else.

  1. Threat hunting takes time. With some technology solutions running a search can take hours, if not days – and we won’t even mention the open source tech, that’s a whole other story. You can make threat hunting more viable for your team if you have solutions in place which can speed up the workflow.
  2. What can technology bring to the threat hunting table?
      • Context: A solution that collates related alerts that occur on the same endpoint/IP address over time and analyzes this content to provide context can make the process of developing realistic IOCs much faster.
      • Rapid search: Solutions using rich, indexable metadata provide search speeds that far outperform those that don’t – we’re talking seconds and minutes, not hours or days.
      • Metadata: If a solution breaks down sessions into metadata, you are able to ask much richer questions, and prove or disprove your hypothesis much faster.
      • Evidence: If you are unlucky enough to prove your hypothesis correct, you need to act quickly and deliberately in response. A solution that enables you to pivot immediately between network and endpoint to isolate a machine is invaluable. Not to mention – you want the evidence at your fingertips, so you can make informed decisions. Make sure your solution enables you to pull files and artifacts instantaneously.
  3. In order to better protect themselves from the good, the bad and the ugly, organizations need to consider proactive threat detection tactics such as threat hunting. Lack of resource and skills are valid barriers, but they can also be overcome through Managed Detection & Response services.