Threat Hunting Questionnaire

Threat Hunting

• Phishing/Email Security Controls

• • How many phishing emails we are receiving

  • How many detected by our email security control

  • How many missed by our security controls

  • • What kind of emails

    • What are TTP's

  • What's our remediation

  • What kind of attacks we are targeted with

  • How we are doing email header analysis

  • How we are stopping BEC scam's

  • With whom we are sharing threat intel

  • Who/which APT groups targeting Transport industry(especially airports)

  • Upon our monthly review, what kind of recommendations can we give to Gary to run Phishing email training campaign (template selection)

Network/IOT/OT/SCADA

• Detect persistence mechanisms

• Detect data exfiltrate

• Detect deployment of payloads (ransomware)

• Detect DDOS

• Identify Cloud Assets

• Continuous asset discovery

Risk Analysis

• What are our threats ?

• Where is our weakest link ?

• Who targets us ?

• What are critical applications for our org and operations ?

• How fast can we restore services ?

• What is our incident response plan ?

Cyber Gaps/Investigations:

• Misconfigured firewall rules

• • Azure DC

  • Vcenter server

• Which schedule tasks running

• RDP connections

• SSH Tunneling

• Git hub plain test passwords

• Lack of SSL internal applications

• Multi cloud presence

Attack/Threat vector

• Azure AD

• Azure ADFS

Internal Pentest and Adversary Emulation: Run Responder/similar tools internally

• https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/guide/

Atomic Red simulation:

• Create vm instance

• • Install aw

  • Install syslog

Threat Research Integration:

-Tools

https://msticpy.readthedocs.io/en/latest/

• Key Logger

• • https://github.com/secureyourself7/python-keylogger

• Research

• • https://infosecjupyterthon.com/introduction.html

  • https://attack.mitre.org/