So, you want to threat hunt? Proactive missions to identify malicious activity that is hidden from plain sight–and traditional detection tools and methods—is an obvious practice to undertake, if not a mandatory one.
While the threats that may be lurking in your environment undetected likely comprise only a small proportion of your overall attack landmass, they are potentially the most damaging because they are unknown, ongoing and unremediated—and likely being waged by skilled adversaries.
In Part 1 of our “Fastest Two Minutes in SecOps” on threat hunting, Google Cloud Principal Strategist John Stoner laid the groundwork for why threat hunting has become such a sought-after discipline for organizations wanting to be more proactive in their self-defense.
In this next round, he gets down to brass tacks with a quick-hit rundown of how you should approach a hunt (there are three common methods), how to be focused with your hunt strategy, why you should follow the scientific method for every hunt, and the one day of the week on which you may want to avoid starting a hunt.
After you’re done watching below, check out the newly launched Mandiant Breach Analytics for Chronicle, which can be a key tool in your hunting effrots as it is continuously monitors events in Chronicle SIEM for current, relevant indicators of compromise (IOCs) and applies contextual information and machine learning to prioritize the matches.