Hunting Is Sacred, But We Never Do It for Sport! – SANS THIR Summit 2019
Hunting is sacred, little brother. It’s our right, but we never do it for sport!” Bagheera teaches Mowgli that jungle law during a hunt. Predators have to FIND preys and KILL in order to survive, and they do it instinctually. Threat Hunting and Incident Response (THIR) practitioners also have to do both effectively in order to survive. In cybersecurity, threat hunting (FIND) and incident response (KILL) practices are interrelated but at the same time distinct in nature. When a hunt sortie identifies a threat (prey) in the environment, it has to be followed by an effective incident response. Sounds straightforward, but the details and the overlooked seams between the two
practices are underestimated and may lead to failure. Are the two THIR practices conducted by one team? Or two different teams? Internal or external? When do you switch from TH to IR? Does the first true positive come from the TH? How are the new injects from the TH cycle integrated
into an already running IR cycle? How do you synchronize and integrate the two practices? We have good models and practices to run and manage THIR, but for the most part separately. We need to do more to seamlessly integrate the two practices and mend the seams between them.
In this session we’ll present examples when THIR has failed due to the overlooked seams between the two practices. Attendees will learn how to run the two practices seamlessly as one process – that is, stitch the seams between the two practices – as well as how the original Kill Chain (F2T2EA) model can be used to run an effective THIR.
Ashraf M. Abdalhalim, Incident Response and Forensics, Senior Consultant, FireEye
Share This- Hunting Is Sacred, But We Never Do It for Sport! – SANS THIR Summit 2019