One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 914308 |
| Date de publication | 2018-11-23 12:36:47 (vue: 2018-11-23 19:02:35) |
| Titre | More on Threat Hunting |
| Texte |  Earlier this week hellor00t asked via Twitter:Where would you place your security researchers/hunt team?I replied:For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions.This inspired Rob Lee to blog a response, from which I extract his core argument:[Hunting] really isn't, to me, about detecting threats...Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them...In short, hunting, to me, is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future. Or simply stated, it's incident response without the incident that's done with a purpose and contributes something. As background for my answer, I recommend my March 2017 post The Origin of Threat Hunting, which cites my article "Become a Hunter," published in the July-August 2011 issue of Information Security Magazine. I wrote it in the spring of 2011, when I was director of incident response for GE-CIRT.For the term "hunting," I give credit to briefers from the Air Force and NSA who, in the mid-2000s briefed "hunter-killer" missions to the Red Team/Blue Team Symposium at the Johns Hopkins University Applied Physics Lab in Laurel, MD.As a comment to that post, Tony Sager, who ran NSA VAO at the time I was briefed at ReBl, described hunting thus:[Hunting] was an active and sustained search for Attackers...For us, "Hunt" meant a very planned and sustained search, taking advantage of the existing infrastructure of Red/Blue Teams and COMSEC Monitoring, as well as intelligence information to guide the search. For the practice of hunting, as I experienced it, I give credit to our GE-CIRT incident handlers -- David Bianco, Ken Bradley, Tim Crothers, Tyler Hudak, Bamm Visscher, and Aaron Wade -- who took junior analysts on "hunting trips," starting in 2008-2009.It is very clear, to me, that hunting has always been associated with detecting an adversary, not "determining what gaps you have in your ability to detect and respond to them," as characterized by Rob.For me, Rob is describing the job of an enterprise visibility architect, which I described in a 2007 post:[W]e are stuck with numerous platforms, operating systems, applications, and data (POAD) for which we have zero visibility. I suggest that enterprises consider hiring or assigning a new role -- Enterprise Visibility Architect. The role of the EVA is to identify visibility deficiencies in existing and future POAD and |
| Envoyé | Oui |
| Condensat | as for i in 2000 2000s 2003 2007 2008 2009 2011 2017 2018 aaron ability about active activity address advantage adversaries adversary advice against agree air also always analysts answer applications applied appreciate approach architect are argument: article asked assess assigning associated assurance attackers august automation background bamm become been bejtlich believe better between bianco blog blogspot both bradley briefed briefers brought build but can career characterized cirt cites clear clearly com comfortable comment comment: comsec conclusion consequences consider contributes copyright core course credit crothers data david days defensive deficiencies definition described describes describing design detect detecting detection determining different director directorate dollars don done driver earlier emerged emotion encountering energy enterprise enterprises environment eva existing experienced expressed extending extract finding first focuses footprint force form from functions future gaps give group guide handlers harm has have hellor00t here hire hiring his history hopkins hudak hunt hunter hunting hypothesis identify important incident including information infrastructure inspired instrument intelligence intruders isn issue its job johns july junior just ken killer kind lab late laurel led lee long magazine major march marketplace matching meaning meant men mid might mission missions model modes: monitor monitoring more much need negative new not now nsa numerous offered offers one operating origin other own part people physics place planned platforms poad point points post post: posts practice prepared primary process proponent published purpose ran rather really reason rebl recommend red red/blue relationship replied:for researchers/hunt resources respond response result richard rob role sage sager school search security see senior several share short should sigint simply solutions some something spend spring starting stated stuck suggest sustained symposium systems taking taosecurity taxpayer team team/blue teams technology term testing than that them these threat threats thus: tied tim time titled tl;dr to our tony took toward trips twitter:where two tyler unify unifying university using vao very view viewpoint visibility visscher wade wanted waste way week well what when where which who will wise without words work would wrote www younger your zero |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.