Objectively Measuring Hunt Value

so jinda so we're gonna cover a little bit about us we'll cover the problem that we saw and then we'll establish some basics for our solution to that problem some of the reports you can get out of it and then hopefully you feel like you can do this too it's a little bit about myself I'm the leader the customer success team at gigamon insight we were formerly iceberg you don't know that we're a network security monitoring platform and we just got acquired in July I'm really big into processing data I feel like that's the common thing over my career is the ability to understand a problem break it apart into pieces explain it back to the

person who told me the problem develop an objective hypothesis about that and then see if they agree and then provide them a solution if you kind of notice I've done that here I know that I'm between you and beer right now cuz we're right about four I've given you a little progress bar just to give you an example that I I'm in I was a former Air Force linguist I have an MBA which I found out yesterday is kind of a four-letter word here and then I got some security certs to

person throughout the talk who can tie this into like the Food Network and cooking and recipes and all this fun stuff but Justin so just apologize so the important point I think to bring up right here is that Justin is an expert process I do respect what he brings to the table he's really good at what he does sort of my role here as I see it is I'm kind of like I'm Justin freeing some street cred along with them so this process guy

[Music] [Laughter]

these are some things I've done in the past

favorite conference I recognized and my

which now becomes sort of infamous for me it is the talk he gave five years ago on something called the Fed for wall if you're not familiar with that just go to youtube and look up that first wall amazing talk which I still watch sometimes through my mental this actually happened in my life so as that Derby County couple weeks ago people still come on feel like hey you're the ball guy yes my current computing interest as an analytics tool like this is relevant here because the whole animal excited thing like I like to take things and make it better so it ties in well with what Justin's trying to do here with getting a process around hunting and

finally if we have any basketball fans here like basketballs on a favorite thing so I love us talk about basketball from Greater Boston so I love Brad Stevens he is a tactical wizard and that's how I like to think of myself as a tactical wizard Justin's on this guy

okay so a little a little disclaimer here and this first this is not a talk on how to or why you should conduct threat hunting we smarter people have done that already before what we're doing here is talking about the process on capturing and reporting and measuring the value of your stret hunting operations it was kind of a pain point that we observed and a lot of our customers and partner environments

[Music] do what he does I want to give you a so what I'm gonna start with is there's no defined industry standard right now for what fret money is it kinda means different things to different people

[Music] some people will refer to threat hunting is retrospective detection or kind of like the the manually the going through hunting for data trying to manually search things and answer questions threat hunting is human directed so it's different than you know your classic like alert driven detection stuff like there's there has to be human interaction involves both pose questions answer questions and pivot oops it's like I just said it begins with a question hopefully it's an interesting question because I find that's typically more fun to hunt for something that's interesting to answer but doesn't have to be interesting either then another key thing like I said is being able to pivot or be able to go down deeper and

deeper into two additional rabbit holes as as you're looking for data on a network and finally for general hunting context key thing to me is that it just this idea of iteration threat hunting it's a very much a rinse and repeat kind of a process it's never really done it's never truly finished it's something that you're going to ask a question try and answer it leads to more questions rinse and repeat so what I'll say here is even though there's no standard definition this is what our favorite definition is and this comes from the folks at squirrel it's important in terms of level setting so I'm going to read this verbatim threat hunting is the human

driven proactive and iterative search through networks endpoints or data sets in order to detect malicious suspicious or risky activities that have evaded detection by existing automated tools so let's get into the problem that we saw I'm curious who is a throw hunting program right now how many people were thinking of introducing a throat hunting program I'm very curious if you seen this so we found that there was tons of great content on hunting right everything from why you should conduct throat threat hunting I think this is probably to cover the most there's a bunch of examples on how right everything from the specifics on how you should form a hypothesis in the process there you can doubt and download there's

a bunch of examples on github of previous hypothesis that people have developed there's even data quality measurements that people will suggest how you should measure those and then there's webinars right every every vendors like practical threat hunting and annex tool and those in while I joke a ton they are useful right they give you an idea maybe you don't use that tool but you kind of extrapolate it and apply it to your program so you can start getting this idea right we could do this so the excitement builds we've got our best people on this I've got a tool set I've got logs I can start doing this I read this thing on hypothesis I

went to a class for four days and you know I focus really hard on hypothesis let's do this let's find evil so we're going hunting and we're getting excited about it and you know this was a lot of our customers were really excited about this and I heard this in the industry and then the questions start building right how are you gonna measure success it was funny because we'd asked that question and and people kind of pulled back does your management understand what your goals are and do they agree when you talk about metrics how are you actually gonna collect those like is somebody gonna put that into Excel who specifically is that your hunted hunter

that's doing that while he does it um who's your long-term manager of this how are you going to make sure that this kind of achieves the outcomes that you've you've set out yeah whatever right we're you know where this is going right we're hunting evil let's do this so this is typical hunting program and like all hunting programs catch them we're done those with hunting programs how many times does this happen right this is immediately every time yeah no you don't find evil you find stupid find all this stuff right and and and let me let me make sure I'm clear that there is value here we know that this is valuable right you remember our definition it's

not just about malicious or evil it's about suspicious and risky right these are all those things and yeah okay you'll find some evil here or there if you haven't found evil though this is what happens right your management's like okay well what are you doing right we get things like did you catch them yet our lead analyst is dedicated to this what are they doing since they don't seem busy can you have them do this and we saw this a lot actually this was pretty depressing would lead Tier three seasoned practitioners who'd be tasked with well can you have them approve non-approved software installs and it's because they nobody was proactively reporting on the outcomes

that they were discovering and so is this really adding value is a question that they were asking so can you blame them when I say them I mean management maybe I'll say that it might seem when when we start out projects most of the time hopefully we set out a set of objectives that we can communicate out right I have a manager I got to establish what we're doing on a day to day basis and then kind of report on how we're doing that hopefully your managers are doing that too or at least you're thinking about this but it's it's a team effort right when we say we're going to establish an outcome or some we're going

to collect metrics I I challenge my team to say okay well how how are you gonna do that without that so if I if I set out a project with my team and and they say we're gonna go hunting we're going to find evil and they don't challenge me on this and we don't send out like what we're active and then do I'd go with the last thing that I remember right well threat hunting is gonna find evil that's that's the most eye-catching thing so this is the target right and if you don't catch evil you're not really doing what you said you were going to do but we knew that hunting is more than just catching

evil right there's there's value in all that stupid stuff that we found so we have to proactively make our target here right we have to plan for and collect those other metrics that are not just apt okay yeah so Justin's previous slide can I blame management as a practitioner oh hell yes but what I need to do here again if we're gonna turn Justin loose with his process and sweet pivottables or whatever he has we have to level set so again this is not going to be like an in the weeds sort of this is how you hunt that's that's not what this is we're just trying to I'm trying to set the stage so we have some shared

terminology that we can use to try and effectively communicate what we're going for with the process here so the 10,000 foot view of what I'm going to talk about here for a couple minutes are three fixes I'm gonna talk hunting hypothesis and very simply that's what we're gonna define the question I'm gonna talk about hunting activity that's the fun part that's where we're out trying to find stuff and finally we're going to talk about the outcome and the outcome is often overlooked because like Justin said we're not just looking for you oh we're looking for stupid it all has value and that's uh those are things we hope to find in that outcome okay so

for hunting hypothesis there's a really great quote that I'll start with this is where the bulk of the work in this development is going to happen okay it's at the front end in the hunting hypothesis and the the quote that I'll use is from Abraham Lincoln and I know some of you have certainly heard this before I don't want to butcher this go something like this it's like if you give me six hours to chop a tree I'll use the first four to sharpen my axe okay and that really applies to this phase of the hunt so when I say three plus days we're talking about say we're going to dedicate a week to a specific

hunt the bulk of that time is going to be in this phase of it it's going to be in developing this hunting hypothesis the way we developed that is we start with a mitre attack framework and what's great about that is that we have our TTP's laid out here we have our tactics blue across the top there in this matrix those are going to be things like credential access discovery initial access things like that techniques those are going to be in the columns underneath the tactics so initial access is the technique there and the top left is the tactic in the top left and the techniques are what's underneath it we're gonna zoom in here on the

technique of drive-by compromise because that's going to have specific procedures that apply to that in this case we've got things like a legitimate website is compromised where adversaries have injected some form of malicious code might be some sort of malicious ad network different things like that those are different questions that we can kind of answer that we can tie to our hunting hypothesis this is what's going to drive that process for us

Specter ops is company that we partner with quite a bit and what we've essentially done here is is stolen some of their work because it's easy and because it's simple and explains what what we do so they have a five-step process for developing the signing hypothesis we just talked about sort of tactic technique and procedure that was the previous slide but the next part of that developing the hypothesis is being able to collect requirements so that means sitting down and thinking about okay if I want to answer a question like say my hypothesis is something like I believe that an intruder is using RDP to move laterally in my network okay that might be a hypothesis it's something

that we can test so we we can get that from the the TTP's but now we need to collect requirements to be able to sort of answer that question so what are we going to need well maybe we can use some broken locks try to answer that maybe we have Braille RDP logs but we want to sit down it's sort of like a brainstorm session what is available to me that can prove or disprove my hypothesis next thing we have to examine is the scope right we need to sort of set some boundaries and limitations around what we're doing so scope might be I want to look back the last week the last month last year we have to set some parameters

maybe we only care about a certain set of subnets right but it's important to document all this excluded factors what that's going to be if we go back to my already P example that's gonna be something like okay maybe it would be super useful to have Windows security locks for that but they're too hard to get in this case or I don't have time this week to get it or whatever the case might be but it's important to document that that was something we didn't include here because it could be the seed of another hunt later so that's the first phase the second phase is the hunting activity hunting activity where the rubber meets the road it's where

we're actually executing the the searches or to professor once in college that used to say any great question leads to further questions and that's kind of what I think of here because as you learn more about what you're looking for you know it may well inform your original hypothesis you might make new hypotheses from that so and that all happens in the activity phase and there's really three kind of buckets that that this can go into there's going to be potentially malicious activity found although in my experience that's usually the least common thing to happen in a hunt there may be non malicious activity found right we're gonna identify logging gaps we're gonna identify vulnerabilities we're gonna

identify stupid and then finally we might just find nothing and that's okay because it's still telling us something and the third phase of the hunting that I want to talk about here is is the outcome and the outcome this is I think the most overlooked of least often done phase but honestly it's probably the most important because you can do it in less than a couple hours but just document right was an incident created from that hunt that we just developed like I said were there new detections that were able to be created or new analytics was there any sort of vulnerability identified any logging gaps identified any stupid people I mean all important things and so I'm curious

how many people track outcomes in their hunt programs anybody have kind of like very defined ones so one thing that we found is is people that did track outcomes tying them back in and a good way to the organization right if I'm to see so but you know a lot of CISOs love to use frameworks how are we doing how are we improving these five areas and NIST's es effort or where does this fall in the top 20 and so what we tried to do was if you're gonna do find an outcome right tie that back to whatever your framework is that you use it added a whole lot of value to the customers that

we're showing this previously so I'll go into the solution or kind of at least our approach to the solution so we're going to define our processes using confluence and JIRA confluence and JIRA is just what we had we're not we don't know not employed by Atlassian or anything we're gonna use industry standard frameworks like miter attack to develop our hypothesis and we'll focus on the CIS top 20 to organize our outcomes we're gonna provide business relevant metrics from this we're going to show kind of like numbers of logging gaps numbers of detections created numbers of active hunts in progress and then maybe any incidents that have rolled out of this and if that doesn't work yeah we got charts and graphs and

hopefully that'll just make them stop asking questions so so JIRA for those I believe most people are familiar with JIRA jiriz used to plan track and report on projects and then confluence is like a basic knowledge base it the reason why we chose both of those is it's it's $20 for up to 10 users you can deploy this like you there's JIRA cloud and JIRA server they're pretty pretty cheap they're pretty powerful they can be admittedly extremely frustrating but we developed a config that hopefully you can just kind of stand up and deploy so how we're going to use that we're gonna track hunts in JIRA we're gonna track all the hypothesis activities and outcomes and

then we're going to automate reports in confluence and these are all native there's nothing super fancy we're doing and either of these tools so a little bit of baselining for standard issued 0 types there's an epoch and then you have multiple things that will fall under that epoch like a task and then you could have a subtasks that go a task for an example of this is like I'm gonna bake a cake right and I need a prep ingredients and I need to mix ingredients under prep ingredients I might break down that further and say I need to buy them and then measure and sort so for ours we we do we wanted to focus on the miter attack tactics so

there's I'm asking you this question I can remember how many there are across the side I should know that before I started the slide but anyway so there's there those are all pre filled and the config that we have and then you can generate hunting hypothesis activities and outcomes and they'll tie back to the original epic so the standard JIRA issue states are to do in progress and done pretty basic for anybody who's used a Kanban board right you move us through as as you're going we'll see if I if we don't screw this up by the end of this so our issue States this is really important because each each type has its own issue state so for

a hunting hypothesis you have planned excuse me I need to drink some water so plan like we know we want to hunt for our DP lateral movement right that that's an idea that's not a hypothesis right when you're developing the the actual scope of that that that's when you'll move it to the development phase when it's ready to kick off activities then you move it to the production side anybody think of why you would retire a hunt one

huh you want my ID all right I'd say that that's a really good any I would agree with that any other ideas why you would retire it no wrong longer up what about good

yeah so what we were thinking is you could retire it if you promote it into an analytic or detection right you prove it out so tightly that now you can flip it over back to your sock as a detection right so then you'd retire it because you're no longer using it to conduct hunting activities hunting activities so we have our standard to do in progress and then we have our three outcome outcome types right so malicious activity found non malicious activity found nothing found and then hunting outcomes just because you find something doesn't mean it's done right like we found a whole bunch of missing logs but now we got a pester i.t to make sure we get those logs so we

wanted to track the progress of those and if you use like ServiceNow or JIRA maybe your IT team uses JIRA you tagged them in that outcome and then track that to completion as well so altogether now this is a really complex slide I'll go ahead and admit this so at the top if for an example we have lateral movement as an epoch we have an idea we're gonna look for a remote desktop protocol in lateral movement that's it so we start developing this right we're going to use these procedures here's our collection requirements here's our scope we're ready to actually do it it's ready for production we're going to move it to production and in the config itself you

can't actually conduct hunting activity unless you tie it back to a production level hypothesis if this is a confusing we'll share the slides and it's all documented on the confluence itself so then I can kick off a hunting activity and it's tied back you can link issues in JIRA so we're tying that back to the original hypothesis and this is pretty basic it just says okay Justin did this on on October 20th and then I found some stupid stuff right I found that we're not logging RDP connections for our second domain that's that's the problem and then I found Bob using domain admin creds for RDP logins so I'm gonna go yell at Bob but this is

the process kind of from end to end right and all of these are linked through through how we constructed it in JIRA thanks captain process so as we look at the JIRA go back to the three phases of the hunt that I talked about hypothesis this is the data that's going to be available to a third that we also need to populate so detailed view here we're gonna have the title it's going to be the mitre technique that we talked about we're gonna have the ongoing status that's tracked here we're gonna have the mitre tactic label as Justin's mentioned this is going to link back to the epoch which becomes super important to this guy later I don't care no I care hot

Justin you want to keep hunting yeah and and so this part of the hypothesis is really important because this is where we're really documenting that that part that took all of the time okay so we're gonna have the hypothesis we're gonna have the techniques that we're looking for here so this could literally be like the specific hunts that you're going to execute to try and prove or disprove your your hypothesis and the collection requirements scope and then the excluded factors activity the second phase of that that we talked about again this is just the detail viewed what we're gonna have their generic title I don't know why Justin would be in this because he doesn't hunt he just makes processes I

can dream we're gonna have the status again to track that mitre tactic label link back to the epic Justin's getting excited now and working notes and what this can be is it's not necessarily like a running diary per se it might just be something that we noticed that might be relevant it might be relevant to a hunt in the future but we're gonna plug it in here it's gonna be a way to store that and then finally are our outcomes and we just have outcome one here there can certainly be more than one outcome in a hunt but this is just to show you what we have so we're going to have a descriptive title in this case whether

it's hard to read no logging for our yeah that's right our DP event logs missing from our second domain we're gonna have the status as well another link to the epic The MITRE tactic label what kind of outcome type is it and again our working notes that we talked about this one once again

yeah so that's a good question um so that's done here I'll back up so that's actually done actually didn't highlight it oh I didn't highlight it Oh bummer so that was C C right right above this red box there's a I'm not sure if you can read it but trust me the critical tier decontrol is listed there right 600 lines that's gonna be a lot there's only 20 here which that was kind of playing in my favor but you could certainly pump in as many you know that's where you would link it okay and this is where Justin's precious MBA heart starts to flutter because all of this magic is just linked together and he can look at

all in one place and feel really good about what he did yeah yeah all right so let's get to the reports so this is where we kind of do all that linking that you saw on JIRA this is why we were doing that right is the reports so we did some example reports we just have a general report on outcomes we have the CIS top 20 it's very simplistic the mitre attack where our coverage is I'll show you all these and then general user statistics you could easily one thing we didn't do that was another option we ran out of time was a tool specific report right which tools are aiding in my hunting right you could tag tools very easily in

this and and again these are all automatic and and these are out-of-the-box reports generated by confluence that's why you're gonna see a lot of pie charts I didn't want to make this overly complex and then you guys have a lot of development or theater pull back out of it so outcomes report what are we finding who specifically is finding it are they reporting accurately so we think that nothing found should only be about 20% of hunt end states right so do I have a hunter that is not reporting outcomes accurately or they are they thinking evil when they should be thinking stupid our our outcomes being actioned right below here you can see outcomes in

progress so am I just finding a bunch of stuff and then it sits with IT forever so CIS top 20 this is where I would show kind of you know if in this fictitious world that I'm managing a threat hunting team if I'm reporting back to the sea so how does this up level of us and our trusted use framework I'm going to report any large gap areas do we have gaps in the basics are we are we focusing on some deployments maybe in the organizational controls that maybe we need to reprioritize and step back up into the basics on the attack report where's my hunt team focused and where should they be focused right is the lack

of focus on data exfil just because we have really good coverage there on existing tools and we don't need a hunt there and then finally general user statistics what's going on right now what is stalled and where can I help so one of the things that we said earlier was hunting activity should be about one or two days right you do a lot of work in the hunt hypothesis and then you execute that pretty quickly excuse me if an activity is lasting for more than one or two days and there's no active no updates on the ticket it'll report it here and and basically I'm looking for where can I help right where can I reach

out and see who got stalled and their work and do they need some help and then who's the most productive right just kidding yeah don't do that that's that's gonna kill this right away right you definitely this is supposed to be useful for your team and what you don't walk it really fine here you want to make this useful for management right you want to report back what you're doing how you're a value to the organization you don't want to artificially float a bunch of tickets right that's is gonna kill this and you're gonna generate additional scrutiny so general notes again we were using native confluence we're going to host the configuration soon if you want it before

we host it on github just email us directly and we'll send it to you so

there's a toll there's a ton of automations and customizations you can get for JIRA they're really easy out of the box kind of you just enable them in JIRA and they could it make this amazingly easy for you I did not go that route because then you'd have to unwind a lot of the work it's better to use this as like a starting framework and then develop what you guys want to do going forward and you know autumn automate from there so and you can too so one of the first things I got when I first showed somebody this is god this seems like a lot of work my team's not gonna do this tough right you're asking

this the organization to just give you air cover for the most highly skilled personnel in your environment and then not gonna show them anything on the outside that's that's gonna end badly we've actually saw about a bunch of times right you know again what are you doing for our organization also this is extremely valuable to kind of I went on to say democratize the knowledge across your team right how many times have you seen this where you get into an incident and why don't we have DHCP records for for this for this host and then some guy says oh yeah I found that like three months ago great why don't you why don't you you

know report that well it wasn't an incident this is a great way to like identify those things and then report them across the team and if you think that we're just over complicating this I really want to know that we scoured when people were asking us the question like how do you actually report and track these we couldn't find an example I think the the most the closest thing that we could find was actually the the endgame book that came in the giveaway bags and on page 18 there a little paragraph on metrics and the importance of doing this but there's no actual how you would do it specifically and if you want to start simpler we're

gonna also give you a like a word document in an Excel document I'm gonna go ahead and say don't use this like if you don't want to work JIRA and you just have nightmares about JIRA there's a lot of people are really religiously against JIRA and this might be an easier way to start it's just basically broken out by tabs and allows you to kind of visualize and then maybe you just develop this in your internal process workflow tool yeah so closing thoughts here this is really important to us but the specific tool is not important planning is a common thing here is if you fail to plan plan to fail that's pretty good but it's really not important as far as

in terms of what tool but what is important is that you are doing it you have to track it some way if you really want these outcomes to resonate and and to get value out of your hunting because dread hunting is incredibly valuable not just for the finding apt or evil but for finding stupid and correcting that don't let your hunt program get derailed right you get funding to set up this hunt program at the end of the day you have to answer to someone and someone wants to know what they're getting for their investment the higher level Justins of the world they scare me this is a good way to keep them away and finally that's

where you can find our slides I've posted those out there and I'm where we gonna put the config same place okay so the config will be there relatively soon yeah any questions Oh

do we have any tactics that we did so [Music] yeah are you saying I found this thing and nobody's auctioning it because I can't I can't convince them that it's a big problem kind of it might get my question right so that's where I would use the framework right that's the value of tying it back to whatever framework you have because then you kind of use management's words against them in that case right like if you're gonna say that we're gonna identify to the NIST CSF well this thing that I found it's hampering that right that that helped a lot of the people that we were talking to about this and I guess I would also

add that all stupid is not created equal yeah right so they're stupid and then there's stupid I worked at a large corporation one time where we discovered we had 3389 open on the Internet that's stupid also really common yeah

so the question was it if you're gonna start a throw hunting program do you use miss CSF like as a baseline right I only see the value in this CSF and the top 20 to make it valuable for the people that I'm reporting to not necessarily something that I like I know that a logon gap is a problem but I need to communicate why that is a problem and I'm gonna use our organizational framework to like use the same language so I if it's if it's something that your organization does then yes good

yes it's oh I see we were saying so

yeah absolutely

how do you do that absolutely so the hunt hypothesis that means there's a production level thing that we can actually go do repeatedly right I might want to wait two weeks a month to let the data build right so that it's useful to go back and search through that but hopefully I've done 90% of the work so that all I do is hey and that's a really good way to put a junior person on that right have your junior person execute a predefined thing and then have like a senior person kind of double-check their work but meanwhile the senior person is is crafting the next hypothesis so if that hasn't been moved yeah I mean you

wouldn't want it just to be used like ad hoc right you'd want to schedule it like you can auto schedule activities in JIRA so you could say generate a to-do hunting activity in two weeks for this production level hypothesis I know this is getting kind of in the weeds but you can do this you can say like we need to wait two weeks for the data build up and will generate a to-do action we'll assign it to the available hunter and then they'll just go do it right but you should always like you this builds on top of it and you would never just forget about this original hypothesis unless you turned it into an analytic

so the the hypothesis and the formation of sorry I'm dying more water but yeah you want to take that so in my experience what I think has been successful is I hate to like pigeonhole people into like if you have sake analysts being like you know this is what you do you're looking at alerts all day long I think if you have a structured process it helps with developing junior analysts so you know if you go through some sort of rotation we're like you're spending some time in the sock and then you know now you've got time to hunt I think it's a good way to build your team the answer your question absolutely there's the so you

could add that to the workflow very easily yeah you could say like needs approval that kind of thing yeah good

yep so that that's a really good question it's iterative right like you're you're developing the hypothesis you actually might find more outcomes developing the hypothesis than you would actually doing the activity right because you're well we got to collect RTP logs right we don't have those we need to you know log that right so you will find a lot in just constructing the hypothesis itself

yes yes

we might have to talk more I want to kind of clarify your question a little bit but yeah yeah yeah

uh kind of I we could probably I can go into detail about this you just tired a hypothesis right you've created an alert you just note that you've you're retiring the hypothesis and it roller relates to this alert now that's in in our sim and you know right exactly and that's something that we track right but there's one of the five example out like n states of a hunting activity her outcome one was detection created that's honestly that's what you want right hopefully you don't find terrible and you kick off an incident although you know you will but hopefully you're feeding your sock right a really good hunting program is feeding the sock yes

so I haven't an answer but I'd ask you to challenge you on this sure so for me I mean it's not when it's done right so like times that we've put in up here it's super vague in general it's like here's a week this is kind of we'd split it up I think it's better to think of that as more of percentage so like hypothesis I think you're typically going to spend 60% of your time on the actual hunt you know it's going to be somewhere around 20 to 25% that that's just typical and go from there but it's hard to say like you have to get really you have to get really specific on your

scope right because the problem is you don't know what you don't know you're gonna find things that are gonna talk more questions and and you know the whole iteration problem

so I would say here that it's it's really not so much about the the time in that case it's making sure that you develop a good hypothesis that allows you to feel good about the answer or conclusion that you get too so you know like once you've executed that search like okay this is going to tell me what I need so either I found it or I didn't but like your hypothesis is complete enough so that when you do that you feel comfortable saying we're done here I wouldn't say that you would go into a hunting activity without knowing how long it would take that makes any sense like you have done the scoping and the

hypothesis so that you know that this would take about a day or two if that makes any sense it'd be really rarely like whoa we have just like tons of RDP logs or just all these random blogs and I now had to have to piece together that works done in the hypothesis yeah how far back your logs go yeah it's a balance but if I haven't searched something before I want to search it but like you know to your point maybe you don't have the time to go back two years if you've got logs going back two years though good for you and I'd search it if I at the time yeah you have to identify

the bucket of equity that you're gonna do it in first right so I'm gonna fit all this work into two days so what is reasonable right what can I do in a reasonable amount of time and that's dependent on you know an organization's logs right yeah

and that's why the documentation of this whole process is so important because now you can go to this and say okay Jeff conducted this hunt on this date and this was the his scope so you can rule that in or out of this new hunt that you're conducting right so this is why documenting this is crucial yes sir

okay so there's a lot of parts of that question so the first thing is like for me as someone that's sort of trained an incident response it's all about priorities so if I'm on a hunt right and I find like active c2 activity coming from a PT whatever that's my priority now okay I have an active intrusion that needs to be dealt with so that's where my my resources and time are going to go when you get into okay you you identify this and you're saying you don't have the capability to sort of respond to that threat call Mandy yeah I would I would honestly say that if you're if you don't have a really strong Incident

Response process that it that it's really well-defined and you know what your action is then you're not ready to do this honestly it you need to have that those kind of foundations to do something like this so hunting is tossing around right and it's a new hotness but it takes a lot of work and it takes a lot of really advanced personnel right and just to add on here the the thing is is that I think there's a lot of for people that have a lot of experience in this there's a lot of fear about you know the boogeyman the apt and how serious it is all that but like your incident response processes and procedures they're going to be the

same right so it's like detect contain respond like on some way shape or form that's how you're going to respond to two threats on your network so it's like I'd recommend hiring people that they you trust to be able to you know carry those tivities out like said if you can't then maybe you need to to find outside help but like ultimately it doesn't matter really if it's commodity or if it's a PT you have to have some sort of process and procedure in place to respond to to things like this and we're throwing around a PT a lot I mean what we're really finding right is like malware that's it's not being caught by a

traditional tools

hey you want to rabbit hole - just fine try to figure out how many like DNS servers you have right I mean yeah any other question sweet thank you thank you very much [Applause]