# Threat Hunting Questionnaire

Threat Hunting

* Phishing/Email Security Controls
*

```
* How many phishing emails we are receiving
```

```
* How many detected by our email security control


* How many missed by our security controls
*
  * What kind of emails
  * What are TTP's
* What's our remediation
* What kind of attacks we are targeted with
* How we are doing email header analysis
* How we are stopping BEC scam's
* With whom we are sharing threat intel
* Who/which APT groups targeting Transport industry(especially airports)
* Upon our monthly review, what kind of recommendations can we give to Gary to run Phishing email training campaign (template selection)
```

&#x20;

Network/IOT/OT/SCADA

* Detect  persistence mechanisms
* Detect data exfiltrate
* Detect deployment of payloads (ransomware)
* Detect DDOS
* Identify Cloud Assets
* Continuous asset discovery

&#x20;

Risk Analysis

* What are our threats ?
* Where is our weakest link ?
* Who targets us ?
* What are critical applications for our org and operations ?
* How fast can we restore services ?
* What is our incident response plan ?

&#x20;

&#x20;

Cyber Gaps/Investigations:

* Misconfigured firewall rules
* * Azure DC
  * Vcenter server
* Which schedule tasks running
* RDP connections
* SSH Tunneling
* Git hub plain test passwords
* Lack of SSL internal applications
* Multi cloud presence

&#x20;

Attack/Threat vector

* Azure AD
* Azure ADFS

&#x20;

&#x20;

Internal Pentest and Adversary Emulation:\
Run Responder/similar tools internally

* <https://www.ivoidwarranties.tech/posts/pentesting-tuts/responder/guide/>

Atomic Red simulation:

* Create vm instance
* * Install aw
  * Install syslog

&#x20;

&#x20;

Threat Research Integration:

-Tools

<https://msticpy.readthedocs.io/en/latest/>

&#x20;

* Key Logger
* * <https://github.com/secureyourself7/python-keylogger>

&#x20;

* Research
* * <https://infosecjupyterthon.com/introduction.html>
  * <https://attack.mitre.org/>

&#x20;