Chapter 3. A Hunting Process

In this chapter, I will discuss the process of hunting. This is an iterative process, similar to engineering or scientific research but bounded by the needs of security and business operations. These constraints mean that the threat hunter needs to keep in mind that their time is limited and that their output should focus on what they, as a hunter, are best at—finding out why something weird is happening. At the conclusion of this chapter, you should have a clear understanding of how to prepare for a hunt, execute it, end it, and transfer the results. To that end, I structure the chapter around six phases: long-term preparation for hunts, triggers for a hunt, starting the hunt, the hunt itself, ending the hunt, and export after the hunt. The hunting model in this chapter is not set in stone; expect to modify it based on your personnel and organizational needs.

Long-Term Preparation

Hunting requires that the hunters have situational awareness about their network, including assets, traffic, and data, achieved through a quality inventory. Before the hunt, and to build up for the hunt, long-term preparation is necessary. Some basic guidance:

  • Asset inventory is a basic requirement; you should be aware of how many assets are connected to your network, the churn of the assets (that is, how much the total count of visible assets changes over time and how individual assets change), as well as events that cause a large change in the asset profile. If you ...

Get Threat Hunting now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.