Threat Hunting & Incident Response
Shift from a reactive to a proactive defense posture. This module teaches you how to actively hunt for threats within your network, analyze indicators of compromise, and respond decisively to security incidents.
The Proactive Mindset
Traditional security is often reactive; it waits for an alarm to go off. Threat hunting is the proactive practice of searching through networks and datasets to detect and isolate advanced threats that evade existing security solutions. It operates under the assumption that your network is already compromised and that you must find the adversary before they achieve their objectives.
The Threat Hunting Loop
Effective threat hunting follows a structured, iterative process:
- Develop a Hypothesis: Start with an educated guess about a potential threat. This is often based on threat intelligence or knowledge of common adversary techniques (TTPs). For example: "An attacker might be using PowerShell to download and execute malicious scripts in memory."
- Investigate: Use various tools (like SIEM, EDR) to search for evidence supporting your hypothesis.
- Uncover Patterns: Analyze the data to identify malicious patterns, TTPs, or new indicators of compromise (IoCs).
- Inform & Enrich: Document your findings and feed them back into your automated security controls (e.g., create new firewall rules, SIEM alerts, or EDR watchlists).
The Pyramid of Pain
The Pyramid of Pain is a concept that helps illustrate the effectiveness of different types of indicators. The goal of a threat hunter is to operate at the top of the pyramid. Denying an adversary their TTPs is far more effective and painful for them than simply blocking a hash value or IP address.
Hunting for Living Off the Land (LOLBAS)
"Living Off the Land" is a technique where attackers use a system's own legitimate tools and processes to carry out their objectives. This makes them difficult to detect because they are not introducing new, obviously malicious files onto the system. Hunting for LOLBAS activity is a critical skill.
Example Hunt: Suspicious PowerShell Activity
Hypothesis: An attacker is using PowerShell to execute obfuscated or fileless malware.
What to look for:
- PowerShell processes with suspicious command-line arguments, such as `-enc` (encoded command), `-nop` (no profile), or `-noni` (non-interactive).
- PowerShell processes making network connections, especially to unusual IP addresses.
- PowerShell processes launched by unexpected parent processes (e.g., a Microsoft Word document spawning `powershell.exe`).
# Example SIEM Query (Splunk style) to find encoded PowerShell commands
index=wineventlog EventCode=4688 New_Process_Name="powershell.exe" (Process_Command_Line="*-enc*" OR Process_Command_Line="*-encodedcommand*")
# This query searches Windows event logs for process creation events (4688)
# where powershell.exe is launched with an encoded command flag.
Introduction to Incident Response (IR)
When a hunt uncovers a real threat, the incident response process begins. The goal of IR is to contain the damage, eradicate the threat, and recover normal operations as quickly as possible.
The IR Lifecycle (NIST Framework)
- Preparation: Having the right tools, team, and procedures in place before an incident occurs.
- Detection & Analysis: Identifying that an incident has occurred and determining its scope.
- Containment: Isolating the affected systems to prevent the threat from spreading.
- Eradication: Removing the threat from the environment.
- Recovery: Restoring affected systems to normal operation.
- Post-Incident Activity (Lessons Learned): Analyzing the incident to improve defenses and prevent recurrence.