Threat actors are continuously evolving and adapting their tactics and techniques to bypass security tools, and as threat hunters and incident responders we need to evolve fast. From the latest big events of the year, the SolarWinds supply chain attack and Proxylogon vulnerability exploitation by the Hafnium threat actor, we can learn how threat hunting can save organizations from a bigger breach.

In the past few years, we investigated a large number of activities from commodity malware to complex APT operations. One of the challenging things in those investigations is finding anomalies in an enterprise network and knowing how to differentiate between legitimate use of tools and abuse of legitimate tools for malicious activities.

Threat hunters proactively analyse process execution telemetry data to determine if an organization is coming under attack on an ongoing basis. Newly discovered techniques and behavioural patterns should be integrated into your security tools to enhance and enrich its automated detection capabilities if possible. In some cases, some techniques (such as living off the land binaries, a.k.a. Lolbins) will demand real eyes looking into the activity since they can create more noise than value.

In this session, we will describe our timeline from hour 0 of the SolarWinds supply chain attack and Hafnium exploiting the ProxyLogon vulnerability, and actions to identify the compromise in the first hours. You'll learn by example how to perform threat hunting using your security tools and why you should start doing it today using your telemetry data. We will share the methodologies we follow as threat hunters and incident response professionals and demonstrate the power of hunting.

Threat hunting is a very broad and dynamic subject and seeing our examples we hope to make it more accessible.

The goal of this talk is to empower security analysts to be able to threat hunt and share some easy methods, to begin with. Happy hunting!