Threat Hunting Fundamentals: Why Network

Data Should Be At Core Of Your Process

Ashley 'AJ' Nurcombe, Sr. Cybersecurity Engineer, Corelight
Brandon Dunlap, Moderator
 Threat Hunting Fundamentals: Why
Network Data should be at the core of
your process?
Today’s speaker from Corelight

Ashley "AJ" Nurcombe is a highly passionate and driven

technologist with a proven track record of competency
in the field of Security, Networks, DLT and Mobility.

With over a decade of relevant experience in the most

advanced Cybersecurity fields with superior technical
abilities, highly reliable, well-rounded, seasoned IT
Security professional, AJ has delivered keynote talks
Ashley ‘AJ’ Nurcombe across North America, Europe and the GCC.

Senior Cyber Security Engineer

Are my people trash?
SYN / OVERSIGHT
Operational Blindness
What is Threat Hunting?

• Varies org to org

• Varies vendor to vendor
• Some out there just searching
for IoC’s (Indicator of Compromise)
• Some frameworks around TTP
(Tactics, Techniques and Procedures)
Threat Hunting
• Isn’t: • Is:
• Brand new • Proactive
• Automated • Looking for potential bad
• SIEM (Security Information in data
and Event Management)
• SOAR (Security • Looking for things that
Orchestration, Automation evaded detection and
and Response) tools
• IDS (Intrusion Detection System) • Things that didn't get
• Looking for known alerted or reported on
• Always finds threat actors • Analytics
or malware • Looking for unknown
• Need wizards to do it • Makes Analysts better
• Expensive tools • Improves threat
• IR (Incident Response) detection
 SYN
Lack of People/Time
People -> Time

• Dedicated Hunters!
• Analysts with some dedicated time to hunt
• Analysts with a few hours on a Friday
• ShadowHunters

• Blinders off, not just working the queue

SYN
No Data
Tools -> DB (Database)

• Correlate
• SIEM (logs)
• Endpoint
• Network
• Same NTP
• Same TimeStamp
• Query
• Meta
• Raw
• Carving
• Visualizations
Network -> SIEM -> Carving

• Time
• Usually limited by SIEM speed
• Service
• Direction
• Entities
• What is this host and how critical is it?
• Remove vuln scanners
• Remove external web app scanners
• Visualizations
 SYN
Poor Performing SIEM
We got people, tools, data
Now what?

• Be careful
• Not all hunts are passive
• Don't want to tip your
hand especially if there is
a compelling event
• XDR/EDR getting accused
on breaches
Network -> Hunting Benefits

• Source of truth
• Know your assets
• Doesn’t need an agent
• Orgs can’t install agents on some
devices or are not allowed to
• XDR/EDR can get disabled or
turned off by an attacker
• Is passive
 SYN
Attackers Know ENV Better Than Defenders
What is normal for your env?

• Why do attackers know more about

the systems than defenders?
• They look
• Ingress/Egress
• Applications
• Services
• Ports
• PCR
• VLANs
• Development -> QA -> Production
 SYN
Poor Documentation
Documentation

• For yourself
• For your team
• For your org
• External for all defenders
• 2 things to always record
• What led you down that path?
• What query did you end up on?
• Improve detections or report on enablers
 SYN
Visibility Gaps
Visibility you think you have?

• BAS - Breach & Attack Sim

• Cyber Range
• Pentests
• Red Team
• Purple Team

• Great opportunity - improve

detections
• Improve visibility gaps
• Remove or validate
assumptions
 SYN
Cloud Posture Doesn’t Match On Premise
Cloud! so all good

existing cloud

443
 SYN
Too Regulated
Repent of Your SYN’s

● Operational Blindness
● Lack of People/Time
● No Data
● Poor Performing SIEM
● Attackers Know ENV Better Than Defenders
● Poor Documentation
● Visibility Gaps
● Cloud Posture Doesn’t Match On Premise
● Too Regulated
Side Benefits

• Improve your knowledge and orgs

• Find holes or incorrect assumptions
• Better security posture
• Sometimes find the baddies
• Dwell time
• You will find/learn something
Q&A

Ashley ‘AJ’ Nurcombe

Senior Cyber Security Consultant
Questions?
Recognize and honor the best
cybersecurity professionals
in the world
Over 12 awards categories available to
address any stage of one’s career from
Rising Star to Senior Professional

Nomination period closes May 12, 2023

Nominate today!

https://isc2-awards.secure-platform.com/site
 Thank you for attending this webinar!
Please visit the
“Attachments” tab.
There you’ll find supporting
assets and speaker’s LinkedIn
information.
Please take a moment to leave your feedback &
comments in the “Rate This” tab
 Stay Connected!
Update your email preferences to receive
news about upcoming (ISC)² webinars,
publications & more!

Current Members:
https://www.isc2.org/Dashboard/Preferences
Non-members:
www.isc2.org/preferences
New to (ISC)²:
https://www.isc2.org/connect
 We apologize,
We are currently experiencing
technical difficulties.