1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2022
  4. The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting

The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting

Presented at Black Hat USA 2022, Aug. 10, 2022, 2:30 p.m. (30 minutes)

"Ask 10 infosec professionals to define threat hunting and you'll get 11 different answers." Threat hunting is one of those interesting components of cybersecurity where everyone knows they should be doing it but not everyone can fully articulate what threat hunting is.<br> <br>In our roles as threat hunters, we're lucky enough to be witness to, and evaluate, the hunt programs of Fortune 100 companies, state and national governments, and partners and MSPs. This experience has shown us that one person's definition of threat hunting does not necessarily equal another's.<br><br>If you do an Internet search for "how to build a threat hunting program" there are plenty of results and some include great insights into what makes a threat hunting program effective. However, while resources do exist, they're often tied to a specific vendor or a particular product and the best way to hunt using it. There's useful information, but you're left trying to find a way to make the proposed processes and techniques work for your environment and not the one driven by the vendor.<br><br>"If you don't like the road you're walking, start paving another one." It's with that in mind that we're releasing a threat hunting framework that can help organizations start a threat hunting program as well as improve threat hunting operations for existing programs that's free and not tied to any particular technology.<br> <br>This framework will enable organizations to take control of building a threat hunting program by providing a clear path to operationalizing threat hunting as well as a well-defined threat hunting process to ensure threat hunters are set up for success.<br>We've responded to far too many incidents that could have been prevented with solid threat hunting operations and we hope this project can help prevent future incidents.

Presenters:

  • Neil R. Wyler / Grifter - Global Lead of Active Threat Assessments, IBM Security X-Force   as Neil Wyler
    Neil R. Wyler (a.k.a. Grifter) is the Global Lead of Active Threat Assessments for IBM X-Force. He has spent over 20 years as a security professional, focusing on vulnerability assessment, penetration testing, physical security, and incident response. He has been a staff member of the Black Hat Security Briefings for over 19 years and a member of the Senior Staff at DEF CON for over 20 years. Neil has spoken at numerous security conferences worldwide, including Black Hat, DEF CON, and the RSA Conference. He has been the subject of various online, print, film, and television interviews, and has authored several books on information security. In his free time, Neil keeps himself busy as a member of both the DEF CON, and Black Hat CFP Review Boards, the Black Hat Training Review Board, the founder of DC801, and founder of his local hackerspace, 801 Labs.
  • Sameer Koranne - Global OT Lead, IBM Security X-Force
    Sameer Koranne has 21+ years of experience in Cybersecurity, IT Application Development, and Project Management, OT Security Governance, Assessments, Consulting and Incident Response experience for a large chemical manufacturing organization – 150 plants across 15 different countries, Intellectual Properties protection and Information Classification policy development and implementation, Cybersecurity Training and Awareness program development and management. Sameer has experience running an insider risk management program with DLP IT Security assessments on applications, services and 3rd party. Sameer also has several years of experience with custom application development and project management of onshore, nearshore, and offshore teams
  • John Dwyer - Head of Research, IBM Security X-Force
    John Dwyer (@TactiKoolSec) is the head of research for the IBM Security X-Force where he focuses on understanding adversary operations, developing threat detection methodologies, and developing training and threat research content. In recent years, John has focused his efforts on researching ransomware adversary operations and developing simulation data to help drive improvements in the areas of incident response and threat hunting. John has spoken at multiple events including the SANS Threat Hunting Summits, ISC2 Security Congress, and Fulbright Commission Cybersecurity Exchange on threat hunting and ransomware operations.

Links:

Similar Presentations: