Threat Hunting – SY0-601 CompTIA Security+ : 1.7

If you can’t find the threat, then you can’t stop it. In this video, you’ll learn about intelligence fusion, big data analytics, and cybersecurity maneuvers.

<< Previous Video: Vulnerability Impacts Next: Vulnerability Scans >>



The attackers are constantly trying to find a way into your network to gain access to your data. This is a constant process that is coming from many different locations and many different attackers all simultaneously. This is also attacking different systems all at the same time. And the strategies that we use to protect against attacks today will be very different than the strategies that we need to follow tomorrow.

The attackers are constantly changing the approach they use with their attacks, and they’re modifying it based on what your reaction is. One of the problems we have in reacting to these attacks, of course, is that we can’t react until the attack occurs. This is a constant problem when you’re trying to prevent anyone from getting into the network and you can’t stop them until they try to break into the network. The goal then is to speed up this reaction time or perhaps prevent the attack from occurring before the attacker even arrives on your network.

One of the challenges we have when trying to identify these types of attacks is that there is a huge amount of data we have to sift through to even be able to understand if an attack is occurring. This is a massive amount of data coming from many different locations. And it’s nearly overwhelming to be able to understand the data that you’re receiving, be able to parse that data out, and then be able to make decisions on what you’re seeing.

These data sources are also very different. The information you would get from a server is very different than what you would receive from an IPS, and that’s also very different than the logs you might get from a firewall. You also have different team members in your organization that are looking at different types of data, and sometimes those teams need to talk together to be able to identify some of these threats. You have security operations, security intelligence, threat response teams, operations teams, security operations centers, and more people that are looking at data that can help identify these threats.

The key, then, is to take all of this data, put it into a massive database, and then use big data analytics. That’s going to allow us to correlate, identify, and pick out individual important pieces of data that can give us some insight into when attacks may be occurring. So let’s start with our raw data. We know that we’re collecting logs on almost all of the devices on our network. So we need that log data.

We also need information about the network itself and where data may be coming into and out of our network. There can certainly be events occurring elsewhere on the internet that may be of interest to us and might help us understand when an attack might be incoming. And then you have intrusion detection and other active monitoring tools that can give you metrics about what’s happening right now.

Add into this mix of raw data information about what’s happening in the rest of the world. You have threat feeds that are coming from third parties. Governmental agencies have information about alerts that you should be aware of. There are advisories and bulletins relating to software and vulnerabilities that you need to know about. And social media is constantly giving information about who’s being attacked and what they’re being attacked with.

This is all of the data that goes into this unstructured database that we can begin analyzing with big data. This is a mathematical process that allows us to begin performing predictive analysis. We can start understanding where potential problems may come from, even if an actual attack is not yet occurring. If we were the physical military, we would then start deploying the Army, Navy, Air Force, Marines, and Coast Guard to all parts of our network to help protect against it. But since we’re in the virtual world, and much of our virtual world is Cloud based, we can start deploying security technologies into these areas.

We can deploy additional firewalls, intrusion prevention, and scanning systems to understand what’s happening on the network right now. We can have the firewalls look for particular types of data flows to block. We can look for IP address ranges that we don’t want to have in our network at this particular time. And of course we can have these systems delete any software coming through that we feel may be malicious. Unlike a military that takes time to deploy, these systems are virtualized. We can deploy them instantly.

So the moment that our big data analytics decides that a particular type of threat is a concern, it can immediately deploy these pieces out to those parts of the network to prevent any of those threats from occurring. And since all of this is automated, it can identify those threats coming from many different places simultaneously, even if those threats are very different in scope. The process continues constantly with the collection of data, identification of potential threats, and deployment of systems that can protect our network against these attacks.