HUNTPEDIA – Your Threat Hunting Knowledge Compendium by sqrrl

The Origin of Hunting and Why It Matters

Threat hunting: Everyone’s doing it, or at least wants to do it. What is the origin of this term? In 2011 I wrote an article for Information Security Magazine titled “Become a Hunter.” I said in part:
“In the mid-2000s, the Air Force popularized the term ‘hunter-killer’ for missions whereby teams of security experts performed ‘friendly force projection’ on their networks. They combed through data from systems and in some cases occupied the systems themselves in order to find advanced threats. The concept of ‘hunting’ (without the slightly more aggressive term ‘killing’) is now gaining ground in the civilian world.”[1]
At the time I was nearing the end of my four-year term as Director of Incident Response at General Electric, and I described the threat hunting work done by my team’s incident handlers: “Senior analysts [take] junior analysts on ‘hunting trips.’ A senior investigator who has discovered a novel or clever way to possibly detect intruders guides one or more junior analysts through data and systems looking for signs of the enemy. Upon validating the technique (and responding to any enemy actions), the hunting team should work to incorporate the new detection method into the repeatable processes used by SOCtype analysts. This idea of developing novel methods, testing them into the wild, and operationalizing them is the key to fighting modern adversaries.”[2

Download the complete report and read more here. ?? CISO2CISO.COM

Views: 6