Records of all domain resolutions (Port 53). Attackers using DGAs or communicating with malicious C2 domains leave footprints here.
Attackers are using obfuscated PowerShell commands to bypass endpoint detection mechanisms and download remote access tools into the environment. Step 2: Define Data Requirements
Aggregating common data points (like process names or registry paths) across thousands of endpoints and sorting them by count. The rarest entries often reveal malware or unauthorized utilities.
AWS CloudTrail, Azure Activity Logs, and Google Cloud Audit Logs to track API calls and privilege escalations. Mapping to Frameworks: MITRE ATT&CK Records of all domain resolutions (Port 53)
Understanding adversary tactics, techniques, and procedures (TTPs) using frameworks like MITRE ATT&CK Proactive Hypothesis Building:
High-level information regarding the overarching threat landscape. It focuses on risk management, threat actor motivations, and geopolitical events. Executive leadership uses this data to allocate security budgets and drive long-term defense strategies. 2. Tactical Intelligence
This is the active pursuit of threats within a network. By applying advanced analytics and machine learning to large security datasets, hunters identify anomalies or indicators of compromise (IoCs) that standard tools might miss. Blake Theater Key Frameworks and Methodologies Step 2: Define Data Requirements Aggregating common data
AWS CloudTrail, Azure Activity logs, and Google Cloud Audit Logs to track API abuses and privilege escalations. Analytical Techniques
Coined by David Bianco, this model remains the gold standard for practical intelligence. A useful PDF on this topic will move beyond theory into metrics (e.g., hash values vs. TTPs). Practical TI focuses on —the behavior of the adversary—rather than just indicators of compromise (IOCs) that expire within 24 hours.
: Mapping threat actor tactics, techniques, and procedures (TTPs) and emulating their activity in a lab environment. how they are doing it
Are there any that your industry is currently prioritizing for defense? Share public link
Insights into specific campaigns, malware variants, and the Tactics, Techniques, and Procedures (TTPs) used by adversaries.
A step-by-step checklist for configuring to maximize data visibility. How to Access Your Copy:
Practical Threat Intelligence and Data-Driven Threat Hunting
tells you who is attacking, how they are doing it, and what infrastructure they use. It provides the hypothesis for a hunt.