Cyber Threat Hunting - Leveraging the Kill Chain

*update: this was also released, in a shorter, modified version at this blog here*

Cyber Threat Hunting is a critical component necessary to ensuring comprehensive defense and response measures are in place by taking a proactive approach to detecting threats. While threat hunting itself is not a new concept, the actual execution of it is constantly evolving. The current inception of threat hunting is enabled by the fact that big data handling has become more feasible along with the advent of advanced statistical analysis and machine learning.

There are many frameworks and methodologies that have been created around modern cyber threat hunting. Some of these particular implementations are specialized for specific environments, circumstances, or data sources, while others are more generic, applicable across any situation. The one thing which the majority of these methodologies have in common however, is the fact that they all leverage or reference an attacker lifecycle in some way.

There are many considerations and components which should be accounted for while preparing to execute a hunting mission, but a few of those include the following:

Tool to Pull Falcon Host Alerts for Multiple Instances

Crowdstrike has an agent-based, cloud-processed endpoint monitoring tool known as Falcon Host (or various other Falcon-esque extensions). To view alerts within the UI, you must navigate to the proper window and tab. If there is more than one customer, this becomes a pain to click the drop down and manually iterate through each customer instance.

I wrote a quick script called toruk that iterates through all of the instances automatically to pull the alert information, without messing with the UI. It can easily be extended to pull whatever additional information is available (which is usually in a structured format (JSON) due to Crowdstrike using their back end API's). View the source code here: https://github.com/brokensound77/toruk