Blue/Purple Team - Open Source (Free) Tools and Labs

Cybersecurity Online Labs:

• Malware Traffic Analysis
• TryHackMe
• CyberDefenders
• Hack The Box
• Blue Team Labs
• LetsDefend

Cybersecurity Online Courses:

• Purple Academy by Picus
• AttackIQ
• Cybrary

Cybersecurity Tools:

• OSINT
• Shodan
• ZoomEye
• Spyse
• Censys
• Hunter
• Pentest-Tools
• VirusTotal

Threat Hunting - Introduction

Threat Hunting is human centric process of proactively searching data and discovering cyber threats.

Hunter:

Offensive-based Strategy | Think like Attacker | Understand Cyber-Threat & Kill Chain | Knowing Network Architecture | Data Analysis

Business goals are: 

Reducing the dwell time, and minimizing residual risks by stopping adversaries before completing their objectives.

The technical goals of threat hunting are: 

• Detecting threat that none of technology can detect
• Detecting the adversary before the goal is achieved, not at code execution. 
• Detecting advanced attacks which are evading security controls
• Detecting TTPs instead of IOCs, and
• Detecting malicious behavior quicker and more frequently.

Framework/Model for Hunters: 

• Mitre ATT&CK - Tactics or Tools, Techniques & Procedures - This help to identify IoC and method on adversary entry point > pivot > goals
• Pyramid of Pain
• Cyber Kill Chain
• Diamond Model (This can be link to Mitre ATT&CK and Kill Chain to perform Defense Gap Analysis)

Threat Hunt Mindset

Threat Intelligence Division (Known/Indicator-based detection) - Strategic | Tactical | Operational

As Hunter, Tactical (What | When) | Operational (How) information (Know Bad hunt) 

• Tactical (What | When) > This is were TTP, Chain Kill and Diamond Models are used to identify the adversary pattern of attacks, also know signature. 
• “What - they do” | “How - the adversary does” 

Digital Forensic - (Technique/Anomaly-based/Unknown) - Network | Host | Memory Forensics/Analysis

Hunter will still use TI but one step ahead on analyzing for any IoC - Human based detection 

• Attack Based Hunting | Did….this happen in my network? 
• Analytics-Based Hunting | Does anything in….data look malicious? 

Threat Hunting Simulation - Practice | Learn

Hunting Start-up:

Threat Intelligence | Know 

As an Hunter, keep up to date on:

• Threat intelligence Report, 
• Threat Feeds (Sharing and Exchange) and 
• IoC/IoA

Threat Hunting Hypothesis

Hypothesis Methodology

• Pick a Tactic & Technique
• identify procedure(s) 
• Perform an attack simulation or Data analysis
• Evidence collected 
• Scope

After Successful hunting, create detection or optimize query/rule/signature to improve defensive gap and proceed with next hunting. 

References:

[1] https://my.ine.com/ 

[2] https://www.threathunting.net/reading-list 

[3] https://www.sans.org/white-papers/37172/