There are many different approaches to increasing an organization’s cybersecurity defenses against adversaries. One fundamental solution is known as a threat hunt. Threat hunts provide a proactive opportunity for an organization to uncover attacker presence in an environment. While no formal academic definition exists for threat hunting, this paper defines threat hunting as the proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within an environment.

(more…)

Microsoft has gradually increased the efficiency and effectiveness of its auditing facilities over the years. Modern Windows systems can log vast amounts of information with minimal system impact. With the corresponding decrease in the price of storage media, excuses to not enable and retain these critical pieces of evidence simply don’t stand up to scrutiny. (more…)

There’s no doubt that enterprises today, more than ever, need effective cybersecurity strategies. However a sound strategy is not in and of itself a guarantee of success. There are several ingredients that are necessary for a cybersecurity program to be successful. This chapter will describe what a cybersecurity strategy looks like and each of the necessary ingredients for success in detail.

(more…)

Are we good? This question should give a security team pause. Where do they begin to explain the complexities and nuances of the risks posed by cyber threats? What does “good” mean to an analyst, SOC manager, or CISO? The executive often only wants a yes or no. She may not have the time to pick apart anything more complicated.

(more…)

Gathering intelligence and log evidence to support an investigation often requires having an intimate knowledge of the details that may be available across a vast array of log sets and data sources. The analysts’ awareness of what log data is available and where it is stored increases readiness for incident response.

(more…)