Going beyond basic perimeter defense, Threat Hunting is a proactive approach to finding nation state-level Advanced Persistent Threats (APTs) that hide below the alert threshold of traditional network defenses. Hunters need to know how to overcome the legacy challenge of relying upon voluminous and often encrypted network data, like Packet Captures (PCAP), to detect adversaries and transform Hunt operations by leveraging Endpoint Detection and Response (EDR) telemetry data, and knowledge of APT behaviors, to find advance threat actors targeting their organization. Hunters also must balance intuition with reputability by documenting hunts and applying the MITRE ATT&CK framework, but they must also feed the beast by constantly leaning on and learning from Cyber Threat Intelligence (CTI), Incident Response (IR), and Red Teaming operations to inform analytical use cases to drive their hunt focus. In this session, vendor-agnostic use cases and analytics from both private and public sector hunts will provide context for relevant application to any organization.
- An understanding of what endpoint threat hunting is and is not.
- How to identify and create threat hunting analytics.
- Detailed analyses of six vendor-agnostic hunt use cases and the associated analytics that attendees can take back and implement in their own environments.
Technical Level: Advanced