Threat Hunting in a nutshell. No Big Red Easy button. Not something that can be automated. Need analysts, trained analysts. Not an automated process, not something ML can do, regardless of what vendor xyz tells you. Has some similarities to law enforcement. Sometimes discoveries come on a hunch... Something just doesn't look "right" though it doesn't trigger any alerts, uses institutional knowledge, experience, and lots of familiarity with normal activity and malicious activity. IMO, it's the most exciting silo of network/information security because success will be based on training and experience and not how much money is available to throw at a security vendor. What does the current security environment tell you an attacker would do that's already inside your network? Form a working hypothesis and go hunting for evidence, try to prove your hypothesis doesn't exist. But even if you do, the things you'll discover about what's really going on in your environment will increase your security posture every time you write that threat hunt report. No bird's eye view, this is the view from inside that automation can't know is anomalous because no one can write an engine and policies and rules to exactly fit your environment and the things your users, or an attacker presented with your environment, would do.
(Photo: SANS FOR572 Courseware. Phil Hagen, author)
No comments:
Post a Comment