This is exhausting
& hunting isn't easy.
& hunting isn't easy.
look, TLDR; adversaries are smarter, more populous, and better resourced than we are for their goals.
Traditional & lower maturity Threat Hunting is usually just dumping IOCs into an XDR & saying "all good", but this isn't hunting, if anything it's a field of Incident Response.
Threat Hunting should be vewed more as a behaviour analysis than a ticket triaging exercise.
To put this in context as to why, there's 2 simple explanations I can provide:
So.. pyramid of pain, very simple. New TTP is significantly harder than changing a hash value. In this regard, hashes are low value, TTP is extremely high value in hunting.
Actors are the same as Blue Teamers? By this, I mean how junior actors become senior actors, become APTs, just the same as how junior SOC analysts, become senior analysts, become leads.
The main point here, is that regardless of who operates the tools, the tool operation remains persistent. Just as, the behaviour exemplified by actors, remains persistent across campaigns.
Tracking persistent behaviours is where advanced attribution can assist us.
If we know who to track, then we know how to track. Additionally, if we have an extract of the actor, we can attribute & discover the greater behaviour & chain.