Cyber hunting is the art of actively seeking and tracking intelligent bad guys on your network. This is different from vulnerability testing, which is the practice of inventorying the different known ways in which a bad guy could enter your network. A cyber hunter starts with the assumption that bad guys are already on your network – and it doesn’t matter whether the perpetrator is an outsider who found a novel way in or is a trusted insider with knowledge of the organization.
Hunting is a proactive discipline, and this means spending time searching for and understanding “peculiar” traffic on the network.
After a bad guy has been identified, the hunter seeks to understand patterns and capabilities. What assets are under control of the adversary? How are they reached? What techniques does the adversary have? And many more. A good cyber hunter never acts until a complete threat picture has been built. By understanding the adversary, the cyber hunter will be able to strike once and eliminate all threat vectors, avoiding a lengthy game of cat and mouse.
An effective hunting capability requires executive mandate. Organizations must choose to develop, empower, and fund a hunt capability. Cyber hunting is not something that the NSOC can do on the side, as operators are overwhelmed with daily tasks. A cyber hunter must be given the proper time and access to do their job. And they must be given the right tools to collect visibility data throughout the organization.
FlowTraq gives you the power to drill deeper into your network flow data than any other solution, making it the ideal tool for cyber hunting. Collecting NetFlow or sFlow and keeping a forensic record enables the cyber hunter to acquire the telemetry they need, using existing and widely deployed flow capabilities. FlowTraq was designed for the cyber hunter.