Advanced Network Threat Hunting – Michael Meixner
This week ends with a two-day trip to London for the forensic expo 2022 in Excel London
In addition, I run a four-day course for Advanced Network Threat Hunting online training hosted by Antisyphon. Chris Brenton is genius in threat hunting, and he provide inside into today’s attacks. Important tools as RITA and ZEEK for threat hinting are required to find the bad boys in the network.
Today IT-Teams as well as IT-Security teams need to spend time for this type of work too. Only with threat hunting an IT-Team really learn about their own network.
Here are my Top 5 lists to catch the bad boys before bad boys will win the game:
- Upgrade your backup strategy to a state-of-the-art backup system. Your backup strategy which you apply two years ago or longer it is now time review it and ajust your strategy based on current cyber threat landscape.
- Active monitoring of your Windows Active Directory for dedicated events (Groups, password sprays, RDP connections, Kerberoasting).
- Implement the free IT-Security tools SYSMON and ELKSTACK in your environment to have visibility about activities in your network and systems and get critical IT-Security alets in real time.
- Instat you plan your next external IT-Pentest think about of a Threat Hunting exercises for the same days. Together with the Threat Hunting Team you will learn a lot about your network traffic within your company.
- Secure your DNS query with 3nd Party service provider ( very easy to implement without downtime and heavy system changes).
What threat hunting should be
- A proactive validation of all systems connected to the organization’s network
- Needs to include all systems○Desktops, laptops, cellphones, tablets○Servers, network gear, printers○IoT, IIoT, any type of Internet „Thing“
- Execute without cognitive bias
- Deliverable is a compromise assessment
What does threat hunting replace?
- Does not replace any existing security disciplines
- Still need
- EDR software
- Proper segmentation
- Network based intrusion detection○
- Strong authentication
- Threat hunting simply identifies when these protection layers fail
