Security News > 2021 > August > Effective Threat-Hunting Queries in a Redacted World

A decade ago, hunting for adversary infrastructure was often as simple as monitoring a domain registrant's name or phone number in public WHOIS records.

As bad actors have moved first toward privacy protection services and then gained further obscurity behind laws such as the General Data Protection Regulation and the California Consumer Privacy Act, many in the cybersecurity industry have lamented the loss of unredacted WHOIS records as an end to effective hunting.

To discover new infrastructure and to track the changes and movement of an adversary over time, defenders need to learn to craft effective composites.

These changes to mutables are the core constructs of what makes an effective hunting query, but first we have to understand over what part of the internet's hierarchy our adversary commands influence.

Composite objects form the linchpin of effective hunting queries in a world where adversary operational security has become increasingly capable and privacy redaction has rendered many quick win registration details useless.

While many components of these queries may be across varied data sets and vendors, an effective CTI program can make use of a wide range of open source and enterprise solutions to combine them for a more effective hunting strategy.

News URL

https://threatpost.com/effective-threat-hunting-queries/168864/