Undertake cyber threat hunting assignments
Overview
This standard is about undertaking cyber threat hunting assignments.
Cyber threat hunting is a complementary approach to cyber threat detection. Whilst threat detection identifies an incoming or ongoing attack and then prevents or remediates it, threat hunting involves proactively searching for unknown vulnerabilities and undetected attacks within an organisation's digital environment. Cyber threat hunters need to know how to develop and test hypotheses about potential new and sophisticated threats to the organisation that can evade automated cyber security controls.
Cyber threat hunting includes gathering cyber threat intelligence, identifying known attack techniques and developing and testing hypotheses about potential new threats by analysing data from sources inside and outside of the organisation. This improves the security posture and resilience of the organisation and provides more comprehensive protection against sophisticated cyber threats. It also includes analysing, exploring, and reporting findings on cyber security threats discovered.
This standard is for those who need to undertake cyber threat hunting assignments as part of their duties.
Performance criteria
You must be able to:
Define threat hunting requirements to narrow the scope of detections
Select and apply threat hunting methodologies to plan the threat hunting strategy in line with organisational procedures
Respond
to triggers from advanced detection tools that identify malicious activity to
plan detailed investigation for advanced threatsDevelop hypothesis about potential risks to the organisation
- Identify data sources to contribute to proving or disproving the hypothesis
- Develop an approach for collecting and analysing that data
- Collect and analyse the data required to prove or disprove their hypothesis
- Validate whether the suspected threat is present in line with hypothesis
Perform an in-depth investigation to identify potential malicious compromise of a system
Identify compromised systems to determine details about how the attack was performed and its impacts to the organisation
- Produce an account of how the attack was carried out, its objectives, and the impacts on the organisation and its system to inform the remediation actions
Determine what steps are necessary to respond to and mitigate identified threats
Investigate dark web marketplaces to identify evidence of new threat intelligence to inform threat hunting
Develop mitigation and countermeasures tools to remediate attacks and restore systems to normal operation
- Produce a threat hunt report to document and explain evidence detected of cyberattacks or new threats identified
Knowledge and Understanding
You need to know and understand:
- How to define a threat hunt assignment scope
- Industry standard and organisational frameworks used to plan threat hunting exercises
- The basic principles of threat hunting and its use to improve cyber resilience
- The benefits of threat hunting including detecting intrusions, identifying vulnerabilities, quantifying risks, improving defences and streamlining threat detection
- The industry standard types of threat hunting methodologies including adversary hunting, hypothesis-based hunting, indicators of attack and hybrid hunting
- The steps involved in researching Tactics, Techniques, and Procedures (TTPs) of known threat actors
- How to develop hypotheses to perform a threat hunt
- The approaches used for collecting and analysing threat hunting data and how to apply them
- The data sources used to collect and analyse hypothesis testing data
- The industry standard tools used to collect threat data including Security Information and Event Management (SIEM) and dark web monitoring solutions
- How to access to high-quality data and threat intelligence
The steps involved in collecting and processing threat intelligence data
How to collect and analyse hypothesis testing data
- Industry standard specialised and custom-built threat hunting tools and how to apply them
- The types of tools used for threat hunting including threat intelligence sources, telemetry-based technologies, and automation solutions
- How to validate threats in line with hypothesis
- The steps involved in remediating a verified attack
- How to access dark web marketplaces
- How to automate threat hunting including the use of artificial intelligence (AI) and user and entity behaviour analytics (UEBA)
- How to develop a detailed account of an attack
- How to develop mitigation and countermeasures tools
- How to document the results of threat hunting exercises