An Overview to Threat Hunting: 7 Common Hunts to Get Started

In the world of cybersecurity, you don’t just “go threat hunting.” You need to have a target in mind. You need to look in the right places, and have the right tools at your disposal.

In this free training session, you’ll gain an understanding of the minimum toolset and data required to successfully threat hunt.

While you may wish you could devote more time to threat hunting, you likely have limited time and resources for this activity. The good news is that threat hunting is flexible and any time you commit to it will be helpful — ranging from a few hours a week to full-time.

One example of threat hunting is to look for unrecognized or suspicious executables running on you network. You can dip your toes in the water with this type of hunt since you can accomplish it with limited time commitment and resources.

You can also plunge into threat hunting with a major data collection and analysis effort. Starting out simple means you just focus on EXE names, baseline the EXE names that are executed on your network, and then perform a daily review of new EXE names that appear for the first time. You can get this information from event ID 4688, and the query capabilities are light. But, you’ll be surprised what you can learn and catch with such a hunt.

On the other hand, you can dive deeper beyond hunting around EXE names, which can be spoofed, and instead base your analysis on the hashes of the EXEs and DLLs executing on your network. This requires you to deploy Sysmon to your endpoints, a significantly higher level of query and baselining sophistication, which benefits from integration with threat intel resources.

In this on-demand webinar, Nathaniel Quist (“Q”), threat research engineer at LogRhythm, teams up with Randy Franklin Smith, security expert at Ultimate Windows Security, to discuss ways you can scale your effort based on your available resources. The duo will also discuss seven different real-world examples of threat hunting, including:

  1. Recognizing suspicious software
  2. Scripting abuse
  3. AV follow-up
  4. Lateral movement
  5. Persistence
  6. DNS abuse
  7. Bait-the-bad-guy

Most of these threat hunts target specific actions that are telltale signs an attacker has breached your environment.

During the webinar, Quist will also cover threats facing today’s cybersecurity industry. He will briefly show you how the LogRhythm NextGen SIEM Platform, which utilizes easily configurable and even out-of-the-box content, automates the threat hunting process. Quist’s presentation also highlights the value of effectively parsed data, how to find abnormalities — not just alarms — and how LogRhythm seamlessly integrates with other tools that are critical for threat hunting.

Watch the on-demand webinar now and start implementing threat hunting in your environment.