Mastering Threat Hunting
Dive into the world of threat hunting, exploring the key differences between indicator-based and behavior-based approaches.
Watch this Tech Talk recap to learn:
- Approaches to Threat Detection and Threat Hunting
- How to identify potentially malicious activity in your own logs that you may have otherwise missed
- How to mature your SOC practices
Understanding Indicator and Behavior based Threat Hunting:
Indicator Based:
- Easier
- Can be run off any log containing indicators
- Relies heavily on external threat intelligence:
TI collects the IOC's and associates them to relevant threat actors, campaigns, malware families, etc..
Behavior Based:
- Harder
- Generally relies on OS or cloud specific logs
- Relies heavily on external threat intelligence:
TI analyzes threat and malware behavior and produces hunt packages (Sigma, Yara, Snort, etc....)
Most organizations need to use thread intelligence to empower their tools and the people that doing the cyber thread operations
Open source platform agnostic threat hunting package format.
- There is NO official Sigma to Splunk decoder
- Note that it requires adjustment and tuning
- Allows organizations that may have different underlying log management and SIM providers to work together and build hunting packages that can be worked across the tooling
The world's largest cyber threat intelligence organization now due to the way it collects data.
Takes a unified approach to deliver unbiased, comprehensive, and real-time threat intelligence.
Within Splunk Recorded Future has multiple integrations:
- Splunk Enterprise
- Enterprise Security
- Splunk SOAR
- Splunk Threat Intelligence Management
Demo:
If you are interested in watching the full recording, click here.
