PAINT IT, BLUE Slides - Link

Pro Tips on transitioning from CTI to Hunt

---

🎸RESEARCH

🥁GOAL = ASK BETTER QUESTIONS

SOCIAL MEDIA & MORE	SANS	WORKSHOPS / TALKS	DISCORDS / SLACKS
#HuntingTipOfTheDay, Follow Threat Hunting Accounts EVERYWHERE - Link	Reading Room - Link, Webcasts - Link & Threat Hunting Summit	Prioritize Threat Hunting Talks/Workshops & take a look at YouTube	Join Slack/Discord related to infosec (BlueSpace has a Discord Channel - Link)

📝CH33R10'S TALK NOTES EXAMPLE

_{I have a folder where I create a document for each conference. I list the name of the talk or workshop and while watching I will take screenshots, if it is allowed, of the slides and make notes that I can reference later. Any words in the slides that I want to makes sure are searchable, I will type the keywords below the slides. I grab whatever links the speaker(s) share that I can. I make sure to highlight my personal takeaways or takeaways that I feel could be valuable for someone else. I make a point to include things I am curious about regardless of how weird/off-the-wall/impractical my questions/thoughts may be.}

TEXAS CYBER SUMMIT 2021

• Becoming a Threat Hunter: This Is One Way by Jason Wood - Link
• LINKS
• Crowdstrike Global Threat Report 2021 - Link
• Crowdstrike Threat Hunting Report 2021 - Link
• Detection Lab by Chris Long - Link
• TALK TAKEAWAYS
_{I took a screenshot of Jason Wood's slide for my personal notes that I retyped below. These are his words on the slide that I duplicated. All credit for the words on the slide goes to Jason Wood. This duplication is for educational purposes.}
• Document your Practice
• Record videos and publish them
• Write up your learning experience
• Give a conference presentation
• Document how you hunt at work
• Don't publish external. Keep it inside your employer
• Benefits of documenting
• Helps you talk about it in interviews
• Can talk about how you've applied it at work
• Ch33r10's RANDOM THOUGHTS & QUESTIONS
• I wonder if it is possible to use Chris Long's Detection Lab with the tools shared in the Busting the Ghost in the Logs talk by Randy Pargman & Jean-Francois Maes during Texas Cyber Summit 2021 - Link
• I wonder how Chris Long's Detection Lab compares with Splunk's Attack Range
• I wonder how I can take my threat hunting practice to the next level and make my practice more organization relevant, such as tooling, telemetry, honeypots? etc
• I wonder if it is possible to obtain a researcher/academic license for [your organization's EDR solution/a popular EDR solution] and build a custom tailored threat hunting lab
• For organizations that do not use Sysmon/Windows Events, how can I build threat hunting experience?
• ETC

🎤PRACTICE

🎵GOAL = PREPARATION

TRAININGS / HANDS-ON	GIVE A TALK	HUNT HYPOTHESIS DEV	WORK PROJECTS
Boss of the SOC (BOTS) - BOTS v1, BOTS v2, BOTS v3, ATTACK Range - Link, SPLUNK, .conf Talks, SPLUNK Workshops	Talk about something HUNT adjacent	Read Threat Reports & Think about how YOU would HUNT it, Understand the Technical Attack Chain	Volunteer to work SOC tickets, Volunteer to prep CTI reports for HUNT/PURPLE

⚔️CH33R10'S HUNT HYPOTHESIS DEV

1. WHAT WOULD THIS BADNESS LOOK LIKE?
2. WHERE WOULD I FIND IT?
3. HOW DO I DO THE NEEDFUL? (What's that search gonna look like?)

📻APPLY

🎹GOAL = APPLICATION

MITRE ATT&CK TECHNIQUES	CISA / PUBLIC THREAT REPORTS	INFOSEC CURRENT EVENTS
Pick a few and be able to explain them in DETAIL - MITRE ATT&CK	Develop Hunt Hypotheses with a minimum of 1 hour of content to discuss	Develop hunt scenarios & understand the technical attack chain

🔗CH33R10'S THREAT HUNTING CYCLE

1. RESEARCH - Hypothesis generation and understanding the technical details.
2. ANALYSIS - Collect the necessary data, create searches, run the searches, and analyze the results.
3. CONCLUSIONS - Findings, mitigations, documentation, lessons learned.
4. DETECTIONS - Automate the Hunts you can.
5. RINSE & REPEAT

🗡️CH33R10'S THREAT HUNTING TIPS

1. THREAT HUNT TYPE
   • STRUCTURED: Known TTPs, IOCs, Artifacts
• UNSTRUCTURED: Unknown
2. INTERNAL vs. EXTERNAL
   • Example: Cobalt Strike Beacon Hunting in Network vs. ITW (In the Wild)

📚LEARNING RESOURCES

😎CHEATSHEETS

• Malware Archaeology Cheatsheets - Windows - Link 1, Link 2, Back up copy for Link 2 - Link 3
• Olaf Hartong. Sysmon Cheatsheet - Link
• SANS Hunt Evil Poster - Link
• SANS Intrusion Discovery for Windows Cheatsheet - Link

🌎DETECTIONS/HUNTS

• BlueTeamLabs - Azure Sentinel Hunting Resource - Link
• David J. Bianco. Threat Hunting Project - Threat Hunts - Link
• Detection Ideas Repo by Vadim Khrykov @BlackMatter23 - Link
• Hurricane Labs - Threat Hunting with Splunk: Part 2, Process Creation Log Analysis - Link
• Roberto Rodriquez. ThreatHunter Playbook - Link
• Sigma Rules - Link
• Splunk - Advanced Threat Detection and Response - Link
• YARA Rules Resource - Link

🏹GENERAL INFO

• BLOG: BC Security Offensive Security Tools - Link
• BLOG: Red Canary - Link
• BLOG: SCYTHE Threat Thursday - Link
• BLOG: SpecterOps - Link
• Ch33r10's PURPLE TEAM EXERCISE IDEA QUEUE W/ THREAT HUNTING SUGGESTIONS - Link
• Ch33r10's Twitter Threat Hunting List - Link
• C2 Matrix by Jorge Orchilles, Bryson Bort & Adam Mashinchi - Link
• C2 Matrix Slingshot VM with C2s Pre-Installed + VECTR by SANS Institute - Link
• DEMO: C2 Matrix VM Walkthru with Jorge Orchilles - Link
• David J. Bianco and Cat Self. SANS Threat Hunting & IR Europe Summit 2020 - Link
• David J. Bianco. Sqrrl Archive - Link
• David J. Bianco. The Pyramid of Pain - Link
• David J. Bianco. The Threat Hunt Project - Analysis Environment - Link
• David J. Bianco. The ThreatHunting Project - Recommended Reading List - Link
• Digit Oktavianto. Cyber Threat Hunting Workshop - Link
• iRed Team - Link
• Jason Wood. Becoming a Threat Hunter: This Is One Way - Texas Cyber Summit 2021 - Link
• Jennifer Gruener. DIY Splunk - Link
• Joshua Stevens. Hunting for the Undefined Threat: Advanced Analytics & Visualization. RSA Conference 2015 - Link
• Matt Bromiley. Thinking like a Hunter: Implementing a Threat Hunting Program. SANS Analyst Paper - Link
• MITRE ENGENUITY - ATT&CK Evaluations - Link
• Robert M. Lee and David J. Bianco. Generating Hypotheses for Successful Threat Hunting. SANS Analyst White Paper - Link
• Roberto Rodriguez. How Hot is your Hunt Team? - Link
• Splunk - Threat Hunting with Splunk: The Basics - Link
• Sqrrl. A Framework for Cyber Threat Hunting - Link 1 & Backup copy for Link 1 Link 2
• The DFIR Report - Link
• Valentina Costa-Gazcon. Practical Threat Intelligence and Data-Driven Threat Hunting - Link

🤓INTERVIEW RESOURCES

• Questions for Infosec Job Twitter Thread - Link
• Questions to Find RED FLAGS at a Company Twitter Thread - Link
• Questions to Prepare for Trait-based Interview Questions Twitter Thread - Link
🎺SANS THREAT HUNTING
• SANS THREAT HUNTING PLAYLIST🎬 - Link
• SANS THREAT HUNTING SUMMIT 2021 Links from the chats collected by Cassie @DFIRDetective - Link
• SANS THREAT HUNTING SUMMIT 2020🍿 - Link
• SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2019📽️ - Link
• SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2018🍫 - Link
• SANS THREAT HUNTING & INCIDENT RESPONSE SUMMIT 2017🍬 - Link

🏋️TRAINING

• Active Countermeasures - Cyber Threat Hunting Training - Cost: FREE - Link
• Applied Network Defense - Practical Threat Hunting - Cost: 💲 - Link
• BlueTeamLabsOnline - Cost: 💲 - Link
• CyberDefenders - Windows Threat Hunting and others - Cost: FREE & 💲 - Link
• Detection Lab by Chris Long - Cost: FREE - Link
• INE elearnsecurity - Threat Hunting - Cost: 💲 - Link
• Mosse Institute - Certified Threat Hunter - Cost: 💲 - Link
• SANS FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics - Cost: 💲 - Link
• Splunk Attack Range - Cost: FREE - Link
• Splunk's Boss of the SOC (BOTS) - Cost: FREE - BOTS v1, BOTS v2, BOTS v3
• Splunk Workshops - Cost: FREE - Link

💎THANK YOU

Thank you to BlueSpace and Ekoparty! <3

Shoutout to @plugxor Muchas Gracias!

---

FOR THE LAWYERS

_{"The opinions expressed in this Github repo are those of the individual account, in their individual capacity, and not necessarily those of the employers. Mention of any vendors, services, products, or otherwise does not endorse them as a vendor. This content and any related discussions are solely the views, opinions, and experiences of the participants and should not be presumed to reflect the opinion or the official position of any employers of the participants. Examples and views provided herein, including strategies, goals, targets, and indicators are for illustrative purposes only and should not be regarded as representative of the participants' employers or respective portfolios. To the extent that this participation, discussion, and interview outlines a general technology direction, the participants' employers have no obligation to pursue any such approach or to develop or use any functionality mentioned herein. Any suggested technology strategy or possible future developments are subject to change at the employers' sole discretion without notice. Content in this presentation is the intellectual property of the applicable creators and may be protected under the copyright laws of the United States and/or other countries. All trademarks are the property of their respective owners and are used for informational purposes only."}