TTP hunting is an intelligence-based type of cyber threat hunting that analyzes the latest TTP (Tactics, Techniques, and Procedures) used by hackers and cybercriminals. TTP threat hunters study the newest tools and technologies used by cybercriminals, learn how to detect new attack trends, and gather enough cyber threat intelligence so that companies can fully protect their attack surface.
Maybe I’m a bit late to the game on this one, but I recently discovered PwnFox and it has quickly one of my favorite tools yet. So, what is PwnFox? To put it simply, it’s a BurpPro extension that works with Firefox. It accomplishes two things. First, it helps containerize up to eight (yes, that’s right… eight!) different sessions within one browser and secondly, it organizes all your proxied traffic in Burp BY COLOR! I’ll dive a bit more into #2 in a second.
Proactively finding and eliminating advanced threats through threat hunting is a growing necessity for many organizations, yet few have enough resources or skilled employees to do it effectively. For those who do have an active threat hunting program, the process is often manual and time consuming. With cloud security automation, however, you can implement rules that automatically adjust your security policies based on the latest threat data.
Cybersecurity can often seem intimidating for IT teams. After all, things like “threat hunting,” “red teaming,” and “blue teaming” are not used in IT operations. On the other hand, just because these words are terms of art doesn’t mean that they’re activities you don’t do already. You’re probably already using log data as part of your IT operations incident response.
One of the most commonly used techniques is to dump credentials after gaining initial access. Adversaries will use one of many ways, but most commonly Mimikatz is used. Whether it be with PowerShell Invoke-Mimikatz, Cobalt Strike’s Mimikatz implementation, or a custom version. All of these methods have a commonality: targeting LSASS.
That’s a wrap for the Spring series of the Humio Advanced Log Management Course. The sixth and final session focused on threat hunting and how network data from Corelight can improve your threat hunts. Here’s a recap of the session and a link to watch it on-demand. CrowdStrike CTO Michael Sentonas opened the session by contextualizing threat hunting, saying it requires complete observability and the ability to log everything at scale.