Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive

Over the past few years, threat hunting has grown in popularity from an isolated practice to mainstream industry acceptance. Despite the rise in conference talks, vendor pitches selling threat hunting products and services, and excellent open source tools, there are still a lot of organizations that haven't reaped the rewards of threat hunting. SANS Institute … Continue reading Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive

Why Your Last Threat Hunt Wasn’t Successful

Threat hunting has continued to grow as a hot topic in the security community. Despite the volume of discussion, I often still see a few fundamental mistakes that lead to less than successful threat hunts. This week I will cover five mistake areas I commonly see in threat hunting programs that lead to less than … Continue reading Why Your Last Threat Hunt Wasn’t Successful

Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic

This is the fourth part of a series I originally posted on the Dragos Blog. Working in the ICS information security space affords the opportunity to visit some cool critical infrastructure sites. From massive refineries that turn raw crude into diesel and gas to wind farms that harness the power of nature to generate electricity, it … Continue reading Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic

Threat Hunting with Python and Bro IDS Part 3: Taming SMB

This is the third part of a series I originally posted on the Dragos Blog. 2017 was a busy year for attackers. Between the WannaCry/Petya/Bad Rabbit ransomware, GOP hacks, Game of Thrones/HBO hacks, Equifax breach and the TRISIS malware that targeted industrial control safety systems in the Middle East, many new proven attack scenarios developed that … Continue reading Threat Hunting with Python and Bro IDS Part 3: Taming SMB

Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs

This is the second part of a series I originally posted on the Dragos Blog. Prologue: Begin the Hunt In the last edition of this series, we detected Nmap scans by looking for URI indicators associated with Nmap. This week we are going to move away from URI based indicators and focus on Nmap's behavior … Continue reading Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs

Threat Hunting Part 2: Hunting on ICS Networks

I wrote this post originally for the Dragos blog. This post is second in a series that describes hunting, discusses best practices and explains our approach and lessons. Because hunting in industrial infrastructure is important to all of us and with focus and effort we can accomplish it. Part 1 Motivation The network architectures and operational … Continue reading Threat Hunting Part 2: Hunting on ICS Networks

Threat Hunting with Python: Prologue and Basic HTTP Hunting

Prologue: Begin the Hunt You’ve developed a solid network and host-based detection strategy. You are comfortable with the technology you purchased, and processes you developed should you do start getting alerts and might need to open an investigation. You might wonder what the next step should be. The truth is no product or process is … Continue reading Threat Hunting with Python: Prologue and Basic HTTP Hunting