Threat hunting is the process of actively looking for signs of malicious activity within enterprise networks without prior knowledge of those signs. It is a proactive approach to uncovering bad actors before they can steal your data or disrupt your business. Endgame’s hunt experts Devon Kerr and Paul Ewing have written a practitioners guide to threat hunting for analysts who want to begin hunting today. This book provides analysts with hands-on tips on how to start hunting for techniques across the MITRE ATT&CK matrix. This one-of-a-kind guide is full of step-by-step instructions and practical advice on how to hunt including:
- What is hunting?
- Choose the right framework to hunt – MITRE ATT&CK™
- Building a hypothesis to hunt for threats
- Measuring the success of your hunt program and assess hunt efficiency
- Techniques on how to hunt for a few techniques across the MITRE ATT&CK matrix
- Hunting for Fileless Attacks – Examine techniques for detecting threats that hide in memory
- Hunting for Persistence – Explore how attackers achieve persistence, and how to uncover their techniques
- Hunting Lor lateral movement – Find out how to hunt for lateral movement across the enterprise
- Hunting for Credential Theft – discover how to uncover whether attackers have been stealing user credentials
- A hunt cheat sheet to get started
About the Authors
Devon Kerr is a Principal Researcher at Endgame, focusing on adversary simulation, detection, and response technologies. Formerly a Mandiant incident response and remediation lead, he helps Fortune 500 companies detect and contain advanced threat actors.
Paul Ewing is a Senior Threat Researcher at Endgame, where he leads the adversary hunt efforts. He formerly lead hunt teams in government. He specializes in prototyping analytics to detect malicious behaviors and techniques.
You can download the book for free here.