What Is Hunting?

3_Types_of_Data_Vulnerable_to_Data_ExfiltrationThe SQRRL blog posted an excellent article defining what hunting is by David Bianco. The biggest take-away is that hunting does not start with indicators … rather it starts with questions. I’ve included a few snippets from the article below focusing on David’s definition, how it is related to the kill chain, and the skills that are necessary. This is similar to the definition Andrew Case gave at his keynote at BSidesTampa a few weekends ago.

via SQRRL.com

How do you define hunting?

Hunting is the practice of searching iteratively through your data to detect and isolate advanced threats that evade more traditional security solutions. You are not really starting with automated alerts, just a bunch of data and some questions. …

Do you use indicators of compromise to organize and drive hunting trips, or do you use other approaches?

Your starting point is never an indicator; it’s always a question, or a hypothesis. Your question might be “Is data exfiltration happening?” or your hypothesis might be “If there is data exfiltration happening, it’s most likely going on through this part of the network.” …

In pursuing adversaries via hunting, is there a point in the kill chain where an adversary is more exposed?

Mostly you’re looking for where they will leave the largest digital footprints, which is mostly in the command and control and act on objectives phases. …

What are the ideal skills or qualities a hunter should possess? From your experience, where do analysts acquire the requisite skills to be one?

I would say the best skills are inquisitiveness, persistence, and a real willingness to learn. If you have those 3 you can find things successfully.

Read the full article here.


Today’s post pic is from IM-TechSolutions.com.

3 comments for “What Is Hunting?

  1. March 4, 2015 at 2:55 am

    What Is Hunting? http://t.co/LiR6vSWfZc

  2. March 4, 2015 at 4:11 am

    BLOGGED: What Is Hunting? http://t.co/MGCC5RAUTC

  3. March 6, 2015 at 12:05 pm

    novainfosec: What Is Hunting? Find out more here! http://t.co/wrMiDWlLkL #infosec

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.