Threat Hunting Resources and Glossary
Below we have compiled an extensive list of useful resources - articles, frameworks, guides and more - for further reading about Threat Hunting. And also a Glossary of Terms.
We hope you find these helpful.
Threat Hunting Resources on Endace.com
- Introduction to Threat Hunting
- Introduction to Threat Intelligence
- Indicators of Attack and Indicators of Compromise
Threat Hunting ResourcesView
The following is a consolidated list of all useful links referenced on the various pages on this site that cover threat hunting.
- A Beginner’s Guide to Threat Hunting
- Anomali - "What are STIX/TAXII”
- CIS Critical Security Controls for Effective Cyber Defense
- COBIT (Control Objectives for Information and Related Technologies)
- CSO - "What is Mitre's ATT&CK framework? What red teams need to know"
- Cyber Kill Chain
- Cyber Security Insiders 2018 Threat Hunting Report
- Dan Gunter - "Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive"
- Dark Reading - "Deconstructing The Cyber Kill Chain"
- DARKReading - "Top 15 Indicators Of Compromise"
- Diamond Model
- EY - A close look at cyber threat intelligence
- Future of Cyber Security Blog - Cyber Intelligence Sources
- Gartner - "How to Hunt for Security Threats"
- GitHub - A curated list of Awesome Threat Intelligence resources
- HIPAA (Health Insurance Portability and Accountability Act of 1996)
- InfoSec - "Threat Hunting: IOCs And Artifacts"
- InfoSec Institute - "The Ultimate Guide to Threat Hunting”
- InfoSec Institute - Threat Hunting Resources
- InfoSec Institute - threat intelligence
- ISO 27000 Series of Information Security Standards
- Mitre Att&ck
- NIST Cyber Security Framework
- NIST Special Publication 800-53
- OODA Loop
- PCI DSS (Payment Card Industry Data Security Standard)
- Ponemon 2019 - Improving the Effectiveness of the Security Operations Center
- SANS - "Building and Maturing Your Threat Hunting Program"
- SANS - "Generating Hypotheses for Successful Threat Hunting"
- SANS - "Thinking like a Hunter: Implementing a Threat Hunting Program"
- SANS - Threat Intelligence: What It Is, and How to Use It Effectively
- SANS - various articles on threat hunting
- SANS / ThreatConnect -The Diamond Model for Intrusion Analysis: A Primer
- SANS 2018 - Threat Hunting Survey Results
- SecurityIntelligence - A Beginners Guide to Threat Hunting
- STIX & TAXII on GitHub
Glossary of TermsView
APT | Advanced Persistent Threat. i.e. a Threat Actor capable of gaining unauthorized access to a network and remain undetected for an extended period. |
Attack Surface | A term used to characterize how vulnerable an IT environment is to potential attack. If it is said that an IT environment has a large attack surface, this means there are a large number of potential ways in which a hacker may attack. A small attack surface indicates limited opportunities for attack. |
Attack Vector | An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors come from Threat Actors exploiting system and/or human vulnerabilities. |
Blacklist | A list of entities that are blocked or denied privileges or access. Often refers to a list of IP addresses |
Blocklist | Another name for Blacklist |
C&C | Command and Control. Generally used when referring to a C&C Server: i.e. the server configured by Threat Actors to communicate with machines that have been hacked/compromised. C&C servers are generally the source of malicious payloads and the destination for exfiltrated data. |
CZ | Another name for C&C |
CVE | Common Vulnerabilities and Exposures. Refers to publicly known vulnerabilities. The Mitre organization maintains a database of CVEs |
CWE | Common Weakness Enumeration. A categorization system for CVEs maintained by Mitre. CVEs refer to individual vulnerabilities specific to certain software/hardware, whereas CWEs refer to generic types of vulnerabilities |
DHS | Department of Homeland Security [USA] |
DLP Software | Data Loss Prevention Software. Detects and prevents data loss exfiltration by monitoring endpoints, storage, and network traffic |
East-West | Refers to network traffic within an IT environment (distinct from north-south traffic) |
EDR | Endpoint Detection and Response. Tools that detect actual and/or traces of suspicious activity on end points such as servers and PCs. |
Exfiltration | The unauthorized transfer of information from a system. |
Exploit Kit | (Verb) To attack a weakness in an IT system to accomplish some malicious action. (Noun) Generally refers to a specific method/procedure/software used to exploit a known vulnerability. |
Honey Pot | A deliberate vulnerability and/or fake data intended to attract malicious actors. Generally monitored, a honeypot is often used as an early warning sign of malicious activity. Sometimes used as a decoy. Sometimes used by security firms and researchers to gather intelligence. |
HRU | High Risk Users |
HVA | High Value Asset |
IDS | Intrusion Detection System. Monitors networks and systems for malicious activities or policy violations |
IPS | Intrusion Prevention System. An IPS is an IDS with the ability to execute real-time responses to active attacks and violations. Also see Next Gen Firewall. |
IoA | Indicator of Attack. A clue that an attack may have occurred and/or is occurring. Or a precursor to an attack. A successful attack results in compromise. |
IoC | Indicator of Compromise. A clue that data exfiltration and/or harm may have occurred and/or is occurring |
Lateral Movement | Refers to Threat Actors obtaining access to other machines after their initial infiltration of one machine |
MSSP | Managed Security Service Provider. A provider of outsourced SOC services. |
Next-Gen Firewall | "A firewall that goes beyond port/protocol inspection and blocking to add application-level inspection and intrusion prevention. Industry convergence has resulted in a next generation firewall being functionally equivalent to an IPS." |
North-South | Refers to network traffic between an IT environment and the public internet. Diagrams tend to show the internet above the IT environment. |
OS INT | Open Source intelligence in this context refers to publicly available threat intelligence (as opposed to threat intelligence that you pay for). |
Phishing | A fraudulent attempt to get someone to take an action by pretending to be trustworthy via electronic message, most commonly email or SMS. See also Spear Phishing. |
Powershell | A scripting language built into Microsoft Windows that allows for the automation of system administration tasks. |
PUA | Potentially Unwanted Application. |
SecOPS | Security Operations. |
SOC | Security Operations Center. |
SIEM | Security information and event manager / management. |
Spear-Phishing | Phishing that is targeted at, and tailored to, a specific individual. Distinct from regular phishing which is broadcast and not tailored. |
Timestamping | The act of modifying file timestamps. Usually in the context of malicious activity, to hide that a file is newly or recently modified. |
Threat Actor | An individual, group, organization, government, or government sponsored entity that conducts or has the intent to conduct malicious activities. |
TTP | Tactics, Techniques and Procedures |
Vulnerability | A flaw or misconfiguration in hardware or software. Threat Actors exploit vulnerabilities to perform attacks and/or gain unauthorized access. |
VM | Virtual Machine |
Further Glossary Reading: