ATT&CK based hunt engineering on Windows
Threat hunting is a hot topic at the moment, however this entails a lot more than some random digging through data or copy pasting queries you’ve found on the internet.
The pre-hunt process is a crucial factor in the whole chain to be truly effective in being able to catch any attacker in your network.
Understanding the techniques or tooling an attacker could utilize, the various options they can use and what kind of indicators can be extracted from them will help you build proper hunts, which ideally also lead to automated detection capabilities.
Log data obviously is a very important factor here, after executing various variants of an attack we examine all available data to see what kind of indicators were generated and which ones are of use with an acceptable false possible rate.
This training focusses on the whole cycle, from defining a hunt to researching the relevant techniques to building the hunting logic and executing it on a large dataset.
Agenda
Day 1 - Pre-Hunt activities
- Introduction
- Hunting principles
- Different ways of hunting
- Using and understanding MITRE ATT&CK
- Understanding your adversaries and their techniques
- Understanding and assessing (your) data
- Information resources
- Using threat information
- Exercise : Research a technique and assess your visibility
- Data sources and hunt tooling
- Exercise : Defining a hunt from threat information
- Define the analytics for your hunt
- Exercise: Executing your hunt
- Reporting your findings
Day 2 - Hunting activities
- Short recap of day 1
- Filtering the noise
- Validation of your results
- Improving a hunt
- Threat briefing
- Threat Hunting application introduction
- Briefing Hunting Lab
- CTF Style lab
Requirements
- Laptop with a modern browser;
- VMWare, VirtualBox or Parallels installed.