Category: Security

Security content from Leo Nelson

Threat Hunting

Threat hunting is the practice of proactively searching for and looking beyond known alerts or malicious threats to discover new potential threats and vulnerabilities that are lurking undetected in a network.

How do you get started building a threat hunting program for your organization? Mark Brozek’s blog post on How to Start Threat Hunting has a key paragraph, that I believe is the best way to plant the seeds for this program: Develop a Hypothesis, Then Test It.

Structured hunting tends to be the most useful approach for organizations. This takes the form of goal-oriented sprints that last no longer than two weeks. Each hunt should start with a piece of intelligence and a hypothesis. This could be a new vulnerability or threat that should be investigated to see if it impacts the organization or an unusual behavior. It could also be as simple as following up on a malware outbreak to make sure it has been fully remediated. Then, threat hunters conduct some form of pen testing, simulation or red team exercise to see what they can discover. Teams may uncover misconfigurations, vulnerabilities and malicious activity through these exercises. Structured hunting should be process-driven but follow an agile methodology. Hunters should understand what automated processes, alerts and behavior analysis have already been performed on the data so as not to duplicate efforts. Threat hunting can lead down many rabbit holes, which requires agility – but there should be a formal process in place to guide the hunt and pull back from the rabbit holes as needed. If the two weeks are exhausted without progress, then you must move on.

Mark Brozek on How to Start Threat Hunting

Threat Hunting Data

Threat hunting requires both data and people. Andrew Ludwig summarizes this best as ‘No data – no hunt’. Data can come from a wide variety of sources, including logs from on-premise solutions or vendor tools that provide data that allow you to interact and explore.

Threat Hunting Skills

A large number of sites reference required skills for threat hunting as ranging from programming, threat intelligence analysis, malware analysis, penetration testing, data science, machine learning and business analysis. However, what’s most important is a team or individual with a desire to question the why and possibility of an exploit through creative problem solving and the lens of “I wonder what would happen if this …” based on the sound knowledge of all the systems and data in place at the organization. Furthermore, good threat hunters must be able to communicate and share their findings, to build a business case for adequate help for continued threat hunting resources and related remediation activity.

Threat Hunting Tools

  1. Security Monitoring Tools and Data from products such as firewalls, endpoint and data loss protection solutions
  2. Analytics Tools such as PowerBI provide a visual report that aggregates the log data and make it easier to correlate entities, visualize and interact with the reports and then detect patterns.

1-10-60 Rule

Dmitri Alperovitch, CTO at CrowdStrike, breaks down the 1-10-60 rule and why organizations should track and improve their incident response times with this benchmark in mind i.e.

Detect an incident in 1 minute

Investigate the incident in 10 minutes

Remediate or contain the incident in 60 minutes


Under the Hood of Password Managers

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4]. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.

Source: Password Managers: Under the Hood of Secrets Management

CIS Controls Self Assessment Tool

The Center for Internet Security has launched the CIS Controls Self-Assessment Tool, or CIS CSAT, to enable organizations to track and prioritize their implementation of the CIS Controls. The tool includes features such as the ability to:

  • Delegate questions to other team members
  • Set deadlines for each CIS Control and sub-control
  • Collect documentation related to your findings
  • Capture team discussion about each assessment question

To start with the Self Assessment Tool, visit

Health Industry Cybersecurity Practices

Health and Human Services (HHS) released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication that aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. The guide is available at Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.

The guide includes: