11 Responding to findings

So far in this book, we’ve had multiple successful threat-hunting expeditions, leading to interesting discoveries. This chapter describes the appropriate timing (when) and approach (how) for passing these findings to the incident-response team. Then it discusses engagement models for threat hunters, sharing examples from real-life hunting expeditions. The chapter focuses more on response than on threat-hunting activities.

To demonstrate, we’ll conduct a simple threat-hunting expedition with a new hypothesis emphasizing the postdiscovery phase of the hunt. During the expedition, we’ll discover other problems that are not directly connected to the hypothesis but are significant enough to report and resolve. Finally, we’ll record the details of the expedition in an incident case, which can serve as a critical artifact for recording our findings and handing the case to the incident-response team.

11.1 Hunting dangerous external exposures

It’s crucial not only to uncover threats but to also respond to them properly. Threat hunting is a proactive security practice that plays a key role in the overall incident-response process.

11.1.1 Scenario

11.1.2 Hypothesis

11.1.3 Searching for unexpected incoming connections

11.1.4 Searching internet scanner databases

11.1.5 Listing the local services

11.1.6 Asking for assistance

11.1.7 Incident case

11.1.8 Continuing the hunt

11.1.9 Understanding the compromise timeline

11.1.10 Handing the case to the incident-response team

11.2 Exercises

11.3 Answers to exercises

Summary