Proactive discovery. Uncover suspicious activity. Identify abnormal behavior.
“Has our system been breached?” | “Do we have unexpected network traffic?” | “Do we have exploitable configuration in place?“
A key Zero Trust principle states: “A breach is inevitable or has likely already occurred.” This is what threat hunting is all about. By examining key system functional areas, we may find a variety of indicators to address that can aid in improving cybersecurity posture. We may even find indicators of compromise (IoCs). Our Threat Hunting services include a variety of methods for taking a proactive approach to cyber defense and response.
Our first step in a threat hunting engagement involves determining how comprehensive the engagement should be. Goals, budget, risk appetite, and other factors can help in determining the scope of the threat hunting activity. We provide services ranging from a single point-in-time analysis to an active and ongoing function in your cybersecurity program.
Depending on scope, our threat hunting engagements involve network traffic analysis, log review, system activity review, and others.
Our Basic threat hunting engagement involves the analysis of interesting traffic for specific points-in-time. Given this approach, we lack some visibility, however we often uncover findings worth further investigation.
Our Advanced threat hunting engagement involves the analysis of interesting traffic for a defined duration. We place sensors at key points and observe traffic over time.
Our In-depth threat hunting engagement involves the analysis of interesting traffic for a defined duration and system activity monitoring for the duration of the engagement. We place sensors at key points and observe traffic and activity over time. Additionally, we utilize tools to capture system activity for critical systems.
Deliverables and Action Items
At any point, if we observe anything requiring immediate attention, we will notify. This is where incident response begins, and clients may engage Bound Planet for assistance.
The engagement concludes with a review meeting and deliverable detailing findings, action items, and recommendations.
Interesting traffic refers to network traffic the threat hunting activity focuses on. This could be north-south traffic, east-west, or any combination determined within the scope. For most clients, observing north-south traffic (all traffic traveling to and from the Internet) provides the greatest benefit for analysis.
Log Review can be included in any threat hunting engagement and is recommended. Log Review focuses on critical logs that clients may not be monitoring on regular basis.