In this webinar, Lumu CTO Jeff Wheat and the Carahsoft team discuss key strategies for implementing a successful threat hunting practice. The presentation emphasizes the importance of understanding indicators of compromise and having clear visibility into the network, specifically by analyzing metadata from DNS logs, firewalls, and proxies to identify unauthorized outbound communications. Wheat highlights that knowing the identity, contact patterns, and behavior of the threat actor is critical to effectively diagnosing and curing cybersecurity issues within an organization.
The session also covers the essential stages of threat hunting, including identifying triggers, conducting investigations, and executing resolutions. Advanced capabilities such as labeling networks for prioritization and utilizing machine speed to analyze broad spectrums of information are showcased. Ultimately, by understanding the tactics, techniques, and procedures (TTPs) of threat actors, organizations can anticipate their movements and secure their environments more effectively.
Takeaways
- Continuous Compromise Assessment: Successful threat hunting requires a mindset shift from ‘thinking you are good’ to ‘assuming you are compromised’ and proactively looking for evidence.
- TTPs and the Pyramid of Pain: Defenders should aim to detect Tactics, Techniques, and Procedures, as these are the hardest and most expensive elements for an attacker to change, unlike easily altered hashes or IP addresses.
- Network Metadata as the ‘Crown Jewels’: Because almost all parts of the Cyber Kill Chain — delivery, exploit, command and control, and exfiltration — rely on the network, metadata like DNS and firewall logs are critical for visibility.
- Retrospective Hunting Capability: Security platforms must be able to look back through historical data (up to two years) to find the first contact with an adversary once a new indicator is discovered.
- Automation Against Machine Speed: As tools like WormGPT allow less sophisticated actors to scale advanced attacks, defenders must use automation to block threats in milliseconds and provide rapid context to human analysts.
