International Cyber Expo International Cyber Expo
  • About Us
Tuesday, 14 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Suppressing the Adversary via Threat Hunt Teams

by The Gurus
April 13, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

As the Chief Cybersecurity Officer for Carbon Black, I am witnessing a brave new world in cyberspace. Global cyber insurgencies continue unabated with reports of wide-scale data breaches and politico-hacking happening quickly and often. Personal data and financial information is regularly being hijacked. The energy sector is increasingly vulnerable to risk, with the recent cyberattack on the Energy Services Group (ESG) knocking systems offline.

Here at Carbon Black we firmly believe that decreasing dwell time of these insurgencies is imperative in 2018.  In order to achieve this goal, organisations must embrace the threat hunt. The extradition of Russian elite cybercriminal Nikulin is a historic example of this. As a member of the Russian cyber-militia, he had been an influential member for close to a decade. He leveraged his expertise beyond monetary gain to show homage to the regime as a politico-hacker.

It is crucial that every organisation sets up a threat hunt team. The team must be multidisciplinary with experience in e-forensics and penetration testing. These teams must play chess while possessing deep knowledge of geopolitics (understanding the motivation for a cyberattack is paramount.)

It is also paramount to assemble a team of operators who understand that the solution to identifying an active compromise on the network requires knowledge of not only technical solutions (endpoint monitoring, passive network monitoring, memory augmentation), but also knowledge of current exploits, vulnerabilities, threat actor methodology and tactics, techniques and procedures (TTPs).

Firstly, your organisation must develop a threat profile. This will help a hunter know where to prioritise hunting (and ultimately where to start hunting). Secondly, you must apply streaming analytics to unfiltered data. This will allow hunters to sort information faster and enable tools to do the target acquisition for the team. This results in a force multiplier to your hunters. Analytics will predict future attacks via attack origin to survey the root cause of attacks. As a result, teams can anticipate and focus on the organisation’s defensive weaknesses.

As your team gels, you can then develop rapid-response protocols. Deciding when to reveal oneself is critical as counter incident response measures and destructive attacks are becoming the norm. To uphold the security of your organisation through effective threat hunting, it is important the team undertakes the following steps:

  1. Assess threat intel from IPs, domains and hashes applied to historical data.
  2. Query similar threads that are not identical matches in historical data.
  3. Anomaly detection through continuous analysis of unfiltered data from the endpoint.

A threat hunt is most effective when employing both active measures (agents deployed to endpoints) as well as passive measures (netflow, packet capture appliances). User-entity behaviour analytics must be employed as it is critical to baseline “normal” network and host behaviour in a threat hunt; contextualising normal behaviour is the most effective way of determining where an adversary might lie in wait.

A hunter must position themselves on the “high ground”, defined by greater situational awareness. Specifically, the hunter must analyse threat intel from customer IPs, domains and hashes applied to historical data. From that vantage, one must search for similar threads that are not identical matches in historical data. Successful anomaly detection requires continuous analysis of unfiltered data from the endpoint.

Step I: Go Historical. – take in tactical threat intel of domains, hashes, and IPs and be able to search the last 30 days. Hash values may have low false positive rates but they are easy for an attacker to change.  Domains and IPs may have a ton of false positives.

Stage II: Move up the pyramid of pain – change the threat-intel language to move toward TTPs (action or behaviour). Time is a critical component.

Stage III:  Moving to anomaly-based hunting – algorithmic threat hunting; this involves analysing changes in behaviour versus similarities to previously seen.

Threat hunt teams should evaluate users with higher levels of access to a network’s “crown jewels” and subsequently deploy deception grids around these users and hosts. It is important to remember, static defences without massive mobile support died with the Maginot Line. Intrusion suppression is now the name of the game. Happy threat hunting.

Tags: CybersecurityTechnology
ShareTweet
Previous Post

Nation State attacks 500% slower to evict from networks and can remain undetected for years

Next Post

Home secretary urges UK businesses to up their game against cyber crime

Recent News

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026
Lidl Confirms Data Breach After Third-Party IT Provider Hack

Lidl Confirms Data Breach After Third-Party IT Provider Hack

July 14, 2026
Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

July 14, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

AI has crossed from assistant to operator, Check Point research warns

July 14, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol