Defining Threat Modeling and Threat Hunting

Questions

• What would an attack look like?

• What is the risk of losing confidentiality, integrity, or availability?

• How likely is a specific threat?

• What defenses do we have?

• What is missing?

Adversary Capabilities: Develop and execute attacks

• From MITRE:

  • Acquired

  • Augmented

  • Developed

  • Advanced

  • Integrated

Total Attack Surface: What you own and can be attacked

• Corporate network

• Cloud

• Online Presence

• Internal Apps

• Building and People

Attack vector: how is the attack delivered

• According to MITRE

  • Cyber

    • IT systems

    • Social media

    • Email

    • USB drives

    • Open ports

  • Physical

    • Doors

    • Locks

    • Access Cards

    • Surveillance

  • Human

    • Impersonation

    • Phishing

    • Coercion

    • Blackmail

Likelihood – How likely is the attack to happen?

• Real threat or just a probable one?

• Happened to use before? Happened to anyone else before?

• Just an educated guess

Final Threat Modeling Questions

• What’s the motivation behind an attack?

• How do other companies defend themselves?

• How frequent are attacks in your industry?

Cyber Threat Hunting

• According to inforsec institute: “Cyber threat hunting is very similar to real-world hunting: it requires skill, patience, creativity, and a keen eye for spotting the prey”.

• Be proactive

• Act before you have proof

• Don’t wait for a breach

• This is not incident response

Threat hunting methodology

• Start from scratch.

• Establish a hypothesis

• Look for threat actors

• Look for IoCs

Justifying Threat Hunting

• Have you been compromised?

• Discovers new attack surface

• Improves threat detection

• Provides security intelligence

• Identifies critical assets