So I’ve got to be quick while writing this, as I’m about to go back home after a week of training. I’ve been feeling the guilt for some time, knowing that I entirely missed posting in April and it was looking like a slippery slope into May with nothing written this month.
So this is the second course I’ve had with this training provider, and while they’re expensive, meeting people in the industry, playing capture the flag with them and networking with them is incredibly valuable.
Half-way through training I had to go on site to do some IR/Forensics, and I missed a couple of days of training. That’s fine, I’ll catch up on that later. Sitting at the airport though, I started reading through some blogs on Threat Hunting. I wanted to compare what I’d been learning this week, with how the rest of the industry does things and just keep the fire burning. I’m still pumped, and thought doing some extra research would be a good thing.
With the course,reading these blogs, and attending a customer site, I had to write about it. Getting a start when hunting is always the hardest bit. However, the journey of 1000 miles begins with a single step. I’m not sure about your personal experience, but have you heard about living off the LANd before? This is where legitimate tools that could be used by your SysAdmins are used by the adversary to complete their actions.
By using native tools, there may be no malware, there may be no signature. So do you know what your environment is running right now? What do you consider normal? To spot the attacker, you must know what is happening within your environment first. Building that baseline – talking to your admins (crushing the silos), using gold images, understanding what is normal within your logs is a start, and will take you even further than that.
Threat hunting is not hard, going back to basics is all you need. Understand what is in your own backyard, then play spot the difference.