Skip to main content
Professional Communities
Security and Data Governance

Threat Hunting

Definition of Threat Hunting

Ability to proactively and iteratively search through log data to detect and isolate security issues. This requires familiarity with typical log and processing flows and what constitutes abnormal or suspicious behavior. Proficiency in this area entails helping discover security breaches or attempted breaches as early as possible and helping tune and write automated alerts based on known malicious behavior.

Assistant / Associate:

Analysis of automated alerts
Analysis of manual threat hunting or other intel data
Raise observations as potential threats

Senior Associate / Professional:

Validation of threat observations as actual incidents or false positives
Creation and updates to automated alerting and security monitoring dashboards

Senior Professional / Principal:

Integration of new log sources and data types
Works with security engineering to improve visibility and reduce detection time of new incidents

How to Develop Threat Hunting

Training Courses:

· SANS SEC511 – Continuous Monitoring and Security Operations

· SANS FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Online Videos:

· https://www.youtube.com/watch?v=dYoYMsJ5aIc

· https://www.slideshare.net/RyanKazanciyan/hunting-in-the-dark-htcia-2015-52389487

· https://www.youtube.com/watch?t=1&v=MUUseTJp3jM

Experiences:

· Look at log streams from applications or systems you have access to and consider how the patterns in those logs might change if the application or system was under attack or had been breached.

How to Demonstrate Threat Hunting

DO:Describe what you did in completing / achieving your development plan

· Spend time looking through log data, typically in a log correlation engine like Humio or ELK.

· Look for abnormal traffic patterns or signs of attach or breach

ASSESS:Share, if applicable, any assessments that were taken / provided related to your activities

· Review trends in incidents over time

· Examine time spent performing work for customers vs other activities

· Review customer feedback and share insights with your team

LEARN:Explain what you felt that you were able to learn during your journey / experiences

· Study best practices for threat hunting in different types of data

· Observe customer-facing processes in other university departments

· Describe how the mission/vision of your department contributes to customer satisfaction

APPLY:Give specifics examples where you have / plan to make direct application to your work

· Share how you might streamline the threat hunting process.

· Create procedures and documentation for others to follow to use with the same log/intel log streams in the future.

REFLECT:Review / consider things you would have done differently had you had this experience earlier

· What types of threats will you watch most closely for?

· How does learning more change your view of threat hunting?