The terms blue team, defender and threat hunter are all synonymous with each other. Depending on who you talk to, you may get a different answer. Network Administrators who have always had a deep sense of ownership for their company networks were the first threat hunters. A lone wolf system administrator often wears many hats, and while they don’t know it, being a threat hunter may be one of them.
What tools and resources does she have as a hunter? Firewall logs, Antivirus logs, Syslog from Linux servers might be some of the areas she would be able to look for indicators of compromise. How would she know when to look? If a member of staff dobs themselves in and advises they opened a suspicious email, it might be cause to start looking. If malware is delivered by a watering hole attack, or a USB drive left in your car park, would you know to look?
If you know about the intrusion via email, the file can be uploaded to Virus Total for inspection. She can start looking through antivirus logs to see if it was picked up, kick off an antirivurus scan, go through the mail server logs to see who else received the email, look at proxy logs to see if any outbound connections occurred at the time of the intrusion. Is looking at firewall logs an option at this point? Probably not, it was just a piece of malware she might say. APT’s are only for Government, right?
If administrators were to perform those steps above for each suspected threat, it would take at least an hour per query. As a former Security Administrator, I’ve experienced this many times. At the time, I was focused on checking if any other users had received the same email and then contacting them to see if they had opened it.
Nowadays, as a threat hunter I don’t wait for someone to tell me they’ve opened a suspicious email. Using an integrated toolkit that analyses packets and logs, in addition to an endpoint detection and response tool, I have more visibility than ever before. I create custom queries and carve through metadata for threats.
I’m notified about suspicious activity whether it’s a large exfiltration of data, command and control beaconing activity, or credential dumping on an endpoint. Threat hunting is not just obtaining as many logs from as many sources as possible and waiting for an automated alert to fire.
Threat hunting is about chasing a malicious threat actor down the rabbit hole, and finding the smoking gun. With your current toolset, do you have confidence to find the smoking gun, or are you not able to see the smoke?