This chapter covers
- The threat hunter–threat analyst relationship
- Collecting, processing, and distributing threat- intelligence information
- Threat-hunting based on threat-intelligence information
- Working with multiple data sources during a threat hunt
- Documenting and sharing new tactics, techniques, and procedures
- Working under pressure
In chapter 3, we conducted a threat-hunting expedition based on the red team’s findings. In this chapter, we have the opportunity to work with the threat-intelligence and vulnerability management teams.
We start the chapter with a scenario in which we receive a threat-intelligence report that triggers the threat-hunting process. We will review the structure and content of a threat-intelligence report and understand the expectations of the threat hunter.
Next, we research the environment to understand the hunting landscape. We work on two data sources: web server access logs and public cloud firewalls. We get the opportunity to understand the capabilities and limitations of these data sources and how they might affect our hunting expedition. During the threat expedition, we continuously communicate with other teams, especially system administration and the threat-intelligence team.