![]() Maybe find some specific situations to look out for based on others’ experiences with that type of data.Identify the key fields and how to interpret their values.If this is a common log source that many organizations deal with, such as a Windows event log or events from a common security product, a good starting point might be to find out what the vendor has to say about what’s in the data. Once you’ve determined which data source you’re going to focus on, you’ll want to become as familiar with it as possible. If you’re not sure where to start, prioritize data sources according to their significance to your organization and its detection goals. Start with the ones your hunt team relies on most, or maybe with the most security-relevant sources. If you're starting from square one, you should make an effort to baseline all of your critical data sources. The first step is to decide which data source you’d like to baseline. Let’s see what this looks like for a baseline hunt. This is where you do all the things necessary to get ready and to ensure a successful hunt. The PEAK Baseline Hunting ProcessĪll hunts start with the “Prepare” phase. ![]() Let’s examine each of these phases in detail. How to Perform a Baseline HuntĪs with all PEAK hunts, baseline hunts are divided into three major phases: Prepare, Execute, and Act. Figuring out what normal activity looks like is a necessary first step in planning any type of monitoring or writing response playbooks. For example, when you onboard a new type of security log, baselining that data source will be very helpful to you while you’re trying to figure out how best to use it for detection and response operations.Īnother prime baselining opportunity would be when you start hunting in a new environment, such as when you acquire a new company or onboard a new managed security customer. You can run a baseline hunt at any time, and some situations naturally lend themselves to this type of hunt. After all, the "K" in PEAK stands for Knowledge! Before planning and scoping future hunts, it's important to understand the available data sources, their fields, and values. It serves as an excellent precursor to more focused hypothesis-based or model-assisted threat hunting. Explore the framework to unlock happy hunting!)īaselining can help you familiarize yourself with new datasets or environments where you've never hunted before. (This article is part of our PEAK Threat Hunting Framework series. In this article, let's take an in-depth look at baseline hunts, also known as Exploratory Data Analysis (EDA) hunts. The PEAK Threat Hunting Framework identifies three types of hunts: Baseline hunting is a proactive approach to threat detection that involves setting up a baseline of normal activity, monitoring that baseline for deviations, and investigating any suspicious activity. They provide a snapshot of normal activity within your network, which enables you to easily identify abnormal or suspicious behavior. Baselines are an essential part of effective cybersecurity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |