Threat hunting as a profession and security strategy has gained tremendous popularity in recent years. Due to its proactive nature, threat hunting allows companies to actively track down potential breaches and invasions. However, acquiring an in-depth knowledge of threat hunting techniques and strategies through accurate resources is indispensable to becoming a true analyst and threat hunter. The following sections provide a deep dive into threat hunting resources, including books, guides, whitepapers, surveys, video lectures, forums, and discussion boards, many of which can be an invaluable form of learning for candidates.
What Are The Most Popular Books About Threat Hunting?There is not an enormous library of books in the realm of threat hunting. However, some important books about this subject are described below:
HUNTPEDIA: Your Threat Hunting Knowledge CompendiumHUNTPEDIA is an excellent compendium published by Sqrrl―a software company that markets software programs for cybersecurity and Big Data analytics. A wonderful introduction entitled “The Origin of Hunting and Why It Matters” by Richard Beijtlich opens the book. The book is divided into two parts, seven chapters in part one, and six chapters in part two. A seasoned threat hunter and security analyst compiles each chapter. The material in this compendium includes the pyramid of pain, the diamond model, hunting with a large volume of logs, hunting for malicious DNSs, hunting anomalous behavior, using the Sqrrl tool for hunting, hunting for command and control, hunting critical processes, and leveraging machine learning. The Hunter’s Handbook: Endgame’s Guide to Adversary Hunting
This book is written by Karen Scarfone, CISSP, ISSAP, with a foreword by Jamie Butler. The introduction of this book discusses reactive and proactive security approaches. It book reminds us that the reactive approach focuses on conventional methods of protection such as applying patches, installing firewalls and antivirus programs, and deploying IDS and IPS. However, the book’s emphasis is more on the proactive approach that involves the use of threat hunting to detect, prevent, and even find adversaries and purge them from your IT environment as quickly as possible. The book consists of six chapters:
Chapter 1―The Power of Hunting:This chapter elaborates on the basic concepts of threat hunting including advanced threats, weakening defenses, and the benefits of threat hunting.
Chapter 2―The Hunt Process:This chapter discusses hunt cycle overview, survey phase, secure phase, detect phase, and response phase.
Chapter 3―The Challenges of Hunting:In this chapter, you will learn how to expedite the hunt, how to enable automated analysis, and how to conceal the hunt from adversaries.
Chapter 4―Hunt Readiness:With this chapter, you will learn the hands-on details of hunting.
Chapter 5―The Hunt Experience:This chapter involves hunt scenarios, hunt preparation, and the start of a hunt investigation. Once the investigation is completed, adversaries are removed and the report is prepared.
Chapter 6―Hunt Technology Selection:This chapter emphasizes the importance of practical considerations for automated hunting solutions.
This book is beneficial for those who have the responsibility of securing and monitoring critical systems and network traffic, detecting attacks, and responding to compromises.
Threat Hunting for Dummies: Carbon Black editionThreat Hunting for Dummies: Carbon Black Edition is written by Peter H. Gregory and published by John Wiley & Sons, Inc. It defines threat hunting and related roles that play part in protecting your organization’s IT environment. This is especially for those organizations who haven’t already started their threat hunting program and are looking for guidance on where to start. Reading this book, you will learn what threat hunting is and how to start a threat hunting program. Though specific tools and technology are essential for threat hunting, a successful program also requires motivated and trained personnel. The book consists of five chapters:
Chapter 1― Understanding Threat Hunting
Chapter 2― Preparing to Hunt
Chapter 3― The Hunt
Chapter 4― Becoming a Master Hunter
Chapter 5― Ten Tips for Effective Threat Hunting
What are Some of the Best Guides for Threat Hunting?The following section includes some useful guides to get you up to speed about threat hunting.
Hunt Evil: Your Practical Guide to Threat HuntingHunt Evil: Your Practical Guide to Threat Hunting, published by Sqrrl. This guide includes checklists, scorecard, and examples. The first section of the guide takes a deep dive into setting up your threat hunting program; the second part discusses threat hunting in practice. The last chapter of this guide incorporates parting advice from professional threat hunters.
Stopping Cyber Threats: Your Field Guide to Threat HuntingStopping Cyber Threats: Your Field Guide to Threat Hunting is published by Digital Guardian. This guide is extremely helpful for threat hunters, security analysts, Information Security Managers (ISMs), and Chief Information Security Officers (CISO). The security team in your organization should regularly and proactively hunt for cyber-threats to stay on the top of the ever-evolving cyber-threat landscape. Using this guide, you will be able to learn how to prevent advanced persistent threats and avert potential damage to your enterprise. You can use this guide if you are new to threat hunting, unsure where to begin, familiar with hunting but unsure about its implementation, striving for how to make a business case for threat hunting, or worried about how to manage and implement threat hunting with limited resources.
The Sage Advice Guide to Cyber Threat HuntingAdversaries are extremely adept at penetrating your corporate network. Organizations remain oblivious compromises for months and sometimes even years. This guide suggests that for security analysts and threat hunters, the pursuit of adversaries must be more than waiting for alerts with a traditional security program. The guide is divided into nine parts:
Part 1― Types of Adversaries
Part 2― Anatomy of a Cyber-attack
Part 3― Common Attack Vectors
Part 4― Types of Malware
Part 5― Common Delivery Channels
Part 6― Hunting Tools
Part 7― Indicators of Compromise (IOC)
Part 8― Benefits of Threat Hunting
Part 9― Threat Hunters for Hire
What Are The Best Surveys and Whitepapers About Threat Hunting?A great deal of research has been done in the realm of threat hunting. Below are some popular survey and whitepapers about this essential subject.
The Hunter Strikes Back: The SANS 2017 Threat Hunting SurveyThis survey is written by Robert M. Lee and Rob Lee and issued by the SANS Institute Reading Room site. The key findings of this survey are listed below.
Around 45% of respondents claimed that they had a threat hunting plan on an ad hoc 50% of respondents said their threat hunting capabilities generated automated alerts and performed automated pattern matching. 77% of organizations considered endpoint security data essential for their threat hunting data feeds. 60% of respondents said they achieved significant improvement in security through the use of a threat hunting campaign. 90% of respondents discovered that they felt an improvement in accuracy and speed of response due to threat hunting. Who, What, Where, When, Why and How of Effective Threat HuntingThis is a SANS Whitepaper written by Robert M. Lee and Rob Lee. The purpose of this whitepaper is to explain what threat hunting is, what it’s not, why threat hunting is needed, when it is appropriate, how to start it, and what roles are required for threat hunting.
Scalable Methods for Conducting Cyber Threat Hunt OperationsThis whitepaper is also published by SANS Institute Reading Room site. In this paper, the writer believes that organizations cannot ensure 100% security in the face of notorious cyber-threats. To prevent threats with maximum results, organizations are advised to practice an in-depth defense so that if any security measure fails, another one should mitigate exposure and reduce the impact. In this paper, you will learn some scalable methods and practices that are required to plan and perform threat-hunting operations throughout the organizations. Below are some steps to Cyber Threat-Hunting Methodology:
Create a hypothesis Investigate the hypothesis through tools and techniques Uncover new patterns and TTPs Enrich and inform analytics A Framework for Cyber Threat HuntingThis whitepaper is published by Sqrrl. In it, you will learn what threat hunting is, what a hunting maturity model is, the hunting loop, and the hunting matrix. The hunting maturity model includes steps, automation, and usage. The hunting loop involves hypothesis creation, a tool for investigation, pattern and TPP detection, and automated analytics.
What are the Best Online Forums, Discussion Boards, and Lectures/Tutorials?Threat Hunting Academy: Threat Hunting Academy is an online video lectures platform that involves numerous professionals and seasoned security analysts and threat hunters who deliver lectures on every manner of threat hunting. You can visit at https://threathunting.org/ to access the virtual threat hunting academy.
GitHub: GitHub is home to over 25 million developers who are working together to review code, build software, and manage projects together. The platform offers a threat hunting discussion forum for threat hunters. Here is the link to the page: https://github.com/ThreatHuntingProject/ThreatHunting
YouTube Lectures: As you might expect, YouTube offers several channels for threat hunting with a wide range of lectures, some of them quite in-depth. Below are some links where you can find invaluable lectures about threat hunting:
https://www.youtube.com/watch?v=MUUseTJp3jM
https://www.youtube.com/watch?v=pDY639JsT7I
https://www.youtube.com/watch?v=FEb8KZoEyzI
https://www.youtube.com/watch?v=58lS_pEElt8
Security Awareness
Threat Hunting Forums and Discussion Boards: Threat hunting forums and discussion boards can help you to find an expert opinion and prevailing problems regarding the threat hunting. In addition to GitHub, there are some more important forums and discussion boards about threat hunting. Below are the links to some of these forums and discussion boards:
http://www.techexams.net/forums/security-certifications/130245-elearn-threat-hunting.html
https://isc.sans.edu/forums/diary/Are+you+a+Hunter/20045/
https://www.alienvault.com/forums/discussion/17409/otx-threat-hunter-endpoints
https://community.spiceworks.com/topic/2003311-proactive-threat-hunting-what-s-everyone-using
https://hardforum.com/threads/kaspersky-lab-open-sources-its-threat-hunting-tool.1957408/
ConclusionAcquiring knowledge about threat hunting is vital for candidates and cybersecurity professionals. Numerous reports and surveys have noted, time and time again, that 100% total information security is out of the question for organizations. Therefore, integration of threat hunting capabilities with traditional security solutions are required to defeat cyber-attacks and enhance the cybersecurity posture of organizations. However, the candidates must be mindful of the appropriate and authentic threat hunting resources to acquire maximum information about this crucial subject. In this article, you have hopefully gained a starting point to research your preferred method of study of threat hunting, and the best resources to help you achieve that goal. Good luck!
Be Safe