From the course: Cybersecurity Foundations
Hunting for threats
- [Instructor] Stock analysts don't have to just wait for an attack to be detected. They can be proactive and hunt for any threats that might have got into the system undetected. Threat hunting involves both looking for the threat agent itself or by detecting traces of activity related to the threat agent. For example, finding a file of user credit cards in a temporary shared folder or finding an account which shouldn't exist are both evidence that there may have been an attack. A comprehensive set of threat characteristics, what are known as indicators of compromise, are necessary to enable the threat hunter to search for known threats. We can also use advanced analytics and big datasets to look for traces of threat activity in logs. This is how we might find beaconing, the regular connections malware sends out to its command and control system. The threat hunting process is a continuous process of looking around for a trigger to provide the context for a specific investigation, the investigation itself, and then resolution through taking action to mitigate the threat that has been found. Idaho Labs, in conjunction with the Department of Homeland Security, has released an excellent tool for threat hunting called Malcolm. This tool can be used in real time to monitor an attack as it happens, or more usually, as a way of analyzing a packet capture file to hunt for signs of an attack. We can view a dashboard, or we can view the packet capture, either as packets using the Malcolm component called Arkime, or at the session level using the Malcolm component called Zeek. You can find out more about how to install and run Malcolm in my Kali Purple course.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.