Formulating An Intelligence-Driven Threat Hunting Methodology

Presented at Blue Team Con 2022, Aug. 27, 2022, 3:30 p.m. (30 minutes)

Consultants and marketing departments refer to “threat hunting” as a desired position for network defenders. By adopting this mindset, defenders can take an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.

Presenters:

• Joe Slowik - Threat Intelligence & Detections Team Lead, Gigamon
  Joe Slowik has over 10 years' experience in information security. From varying roles in cyber operations for the US Navy to leading incident response operations at Los Alamos National Laboratory to managing intelligence-driven detection development at Gigamon, Joe has performed across all areas of blue team operations. Joe's primary professional focus is adapting an intelligence-driven approach to threat identification, detection, and hunting to best equip blue teams for success.

Similar Presentations:

• BSidesLV 2023 / Cyber Threat Hunting (CTH) - Day 1
• Black Hat USA 2022 / The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting
• Black Hat Europe 2017 / Accelerate the Hunt: Make Attackers’ Lives Harder with Effective Threat-Hunting