Gain Top-Notch Cyber Skills. Register for SANS Chicago 2017. Save $400 thru June 28.

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Threat Hunting

Featuring 8 Papers as of May 1, 2017

  • The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey Analyst Paper
    by Rob Lee and Robert M. Lee - April 25, 2017 

    Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks. Results just in from our new SANS 2017 Threat Hunting Survey show that, for many organizations, hunting is still new and poorly defined from a process and organizational viewpoint.


  • Hunting Threats Inside Packet Captures by Muhammad Elharmeel - April 25, 2017 

    Inspection of packet captures -PCAP- for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions.


  • The Importance of Business Information in Cyber Threat Intelligence (CTI), the information required and how to collect it by Deepak Bellani - April 20, 2017 

    Today most threat feeds are comprised of IOCs with each feed providing 1-10M IOCs per year. As the CTI platform adds more feeds , the ability to filter and prioritize threat information becomes a necessity. It is well known that the SOC, Incident Response, Risk and Compliance groups are the primary consumers of CTI. Generating CTI prioritized in order of relevance and importance is useful to help focus the efforts of these high-performance groups. Relevance and importance can be determined using business and technical context. Business context is organizational knowledge i.e. its processes, roles and responsibilities, underlying infrastructure and controls. Technical context is the footprint of malicious activity within the organization's networks, such as phishing activity, malware, and internal IOCs. In this paper, we will examine how business and technical information is used to filter and prioritize threat information.


  • Taking Action Against the Insider Threat Analyst Paper
    by Eric Cole, PhD - October 5, 2016 

    Most organizations tend to focus on external threats, but insider threats are increasingly taking center stage. Insider threats come not only from the malicious insider, but also from infiltrators and unintentional insiders as well. Why are insider threats so common and why do they have such a significant impact? What is the difference between the different types of insider threats and the degree of risk they can constitute?


  • Threat Intelligence: What It Is, and How to Use It Effectively Analyst Paper
    by Matt Bromiley - September 19, 2016 

    In today’s cyber landscape, decision makers constantly question the value of their security investments, asking whether each dollar is helping secure the business. Meanwhile, cyber attackers are growing smarter and more capable every day. Today’s security teams often nd themselves falling behind, left to analyze artifacts from the past to try to determine the future. As organizations work to bridge this gap, threat intelligence (TI) is growing in popularity, usefulness and applicability.


  • Automated Analysis of “abuse” mailbox for employees with the help of Malzoo by Niels Heijmans - August 23, 2016 

    For most companies, e-mail is still the main form of communication, both internally and with customers. Unfortunately, e-mail is also used heavily by cyber criminals in the form of spam, phishing, spear-phishing, fraud or to deliver malicious software. Employees receive these kinds of messages on a daily basis, even though strict security measures are implemented. Sometimes an employee will fall for the scam but often they will know when it is a false e-mail, especially after good awareness programs. Instead of letting them delete the e-mail, let them share it with you to learn and see what is coming through your security measures or what employees see as "fishy". But what should you do with the e-mails that are forwarded to this special "abuse" mailbox? Malzoo can be used to analyze this mailbox by picking up the e-mails, parsing them and sharing the results with the CERT team. By using the collected data, you can find new spam runs, update spam filters, receive new malware and learn in what parts of the company awareness is highest (and lowest). This paper explains the benefits and drawbacks of letting employees have a central point to report suspicious e-mail and how Malzoo can be used to automate the analysis.


  • Generating Hypotheses for Successful Threat Hunting by Robert M. Lee and David Bianco - August 15, 2016 

    Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.


  • The Who, What, Where, When, Why and How of Effective Threat Hunting Analyst Paper
    by Robert M. Lee and Rob Lee - March 1, 2016 

    The chances are very high that hidden threats are already in your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged. Prevention systems alone are insufficient to counter focused human adversaries who know how to get around most security and monitoring tools by, for example, making their attacks look like normal activity.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.