Mandiant Threat Hunting Course
In August I joined Benchling’s Detection and Response team again, this time as a full-timer instead of just an intern :’). Reflecting on the past few months, I feel so humbled and grateful to have been given this opportunity. I feel very supported in my learning and growth, my team is energetic and playful, and I feel a solid sense of pride in working for a company whose product serves real good in the world. It’s been hard too though- adjusting to unstructured work, understanding what coworker relationships mean, and realizing that despite four years of expensive schooling and grind, I still have a significant knowledge and skill gap to close.
My manager enrolled me in Mandiant’s 4-day Practical Threat Hunting Course to aid in this. It focused on the core concepts behind developing and executing threat hunts with a repeatable methodology, from applying CTI to create hunt hypotheses, to analyzing end point data, and learning how to measure the effectiveness of a hunt program.
Mandiant organized their approach to threat hunting in the “A4 Framework”: Assess -> Acquire -> Analyze -> Action. In the Assess phase, you gather information from lessons learned, CTI, awareness of baseline activity, threat modeling outcomes, and frameworks like MITRE’s ATT&CK to develop a specific hypothesis with defined target criteria about what we’re hunting for, where we’ll look, and why the hunt is necessary. In the Acquire phase, you identify searchables and build out queries to aggreggate and validate target data; while searching for tactical and operational intel like hashes and IPs is easier, these attributes are also easier for an attacker to change. Searching for behaviors like tools and TTPs should be the goal, since these strategies are much harder for an attacker to hide/ change. In the Analyze phase, you validate that the found matches are true positives and draw conclusions, ensuring to differentiate facts (what, when, where, how) from judgements (who, why) and to ascribe confidence levels to such analysis. Finally, in the Action phase, you finalize a threat summary complete with a technical assessment, impact analysis, strategic outlooks and recommendations, gaps in intel and collections, and ideas for future hunts and detections. I learned a lot about how to scope a good hunt hypothesis, how to look for attacker behaviors beyond just IoCs (which is great for writing strong detections too!), and how to effectively communicate the purpose, process, and outcome of a hunt mission.
It was overall a great course! I realized how much I miss having dedicated time to learning, and I can’t wait to take another course hopefully soon :)
