Tips for Effective Threat Hunting

By on

This blog was co-written by Ramnath Venugopalan.

In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: Disrupting the Disruptors, Art or Science? Understanding the role of threat hunters and continuing evolution of the SOC in cybersecurity.

At the MPOWER Cybersecurity Summit, Oct. 17–19 in Las Vegas, McAfee will discuss the results of this survey and explain how our products can help customers run a next-level security operations center. We will also cover trends among threat hunters and answer questions such as:

  • What are a threat hunter’s core tools?
  • What level is your environment in the threat hunting maturity scale?
  • Do you want to improve on that scale?
  • What are top-tier SOCs doing that low-level SOCs are not?

One thing top-tier SOCs do is use six core logs to identify attacks:

  • DNS logs are one of the best sources of data within an organization. They should be compared with the various threat intelligence sources and mined for information.
  • Proxy logs are useful for exfiltration detection and forensics, identifying potential phishing attempts and suspicious domains, and identifying control server domains.
  • SMTP logs are useful but they do not necessarily capture all details due to privacy restrictions around email content. We can use them to capture header information, though not data on attachments or embedded links.
  • Windows logs can be a very rich source of data. They can also be very noisy and come in several flavors. Timeline analysis can best leverage these logs, and overlaying the other logs we describe is the key to leveraging this information. Each Windows log sheds light on a different part of the puzzle. Some of the most valuable are:
    • Authentication logs
    • Security logs
    • Application logs
    • System logs
  • DHCP logs are temporal entries that require timeline matching to correlate with log entries from other sources.
  • VPN logs are also temporal entries that require timeline matching to correlate with log entries from other sources. They are useful for detecting the theft of credentials.

Each of these logs provide insight for specific parts of the incident response process. This talk will walk through each log and identify the key insights that can be identified with specific data in that log as well as useful automation.

Are you collecting these logs? That’s only half the battle. Join us at MPOWER as we look at recent advanced persistent threats campaigns and show how these six logs can help identify breaches and create mitigations.

For more on Threat Hunting and for updates from MPOWER17, follow us on Twitter @McAfee_Labs.

Leave a Comment

Similar articles

Depending on whose study you believe, there is going to be a shortage of 1.5 million or more cybersecurity professionals in 2020. As McAfee re-emerged from Intel as an independent company, we have stood up our own fusion of converged physical and security operations center (SOC) functions in the past nine months. We have been very ...
Read Blog
This blog was written by Jason Rolleston. Everybody’s got a device. And the data on that device is moving into the public cloud. Massive amounts of data.  In a world of massive amounts of data, who’s the traffic cop? The Security Operation Center (SOC). But these days the daily flow of data traffic resembles a ...
Read Blog
In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop. As the chief information security officer (CISO) for McAfee, I am aware at multiple levels ...
Read Blog