Hi, everybody. Ed Amoroso here and I want to talk to you about a discipline, a profession, sort of a specialization in Cyber Security now, new one, that we refer to as Hunting. It's kind of a cool, active term. Usually, a cyber hunter, or a threat hunter, an attack hunter, is a human being working in a security operations center for a company, or government agency, or military. And what they do is they have information that they have access to. They pull that information. They do analysis on the information, that's hunting, and they try to come up with some sort of a conclusion. We call that intelligence where you take raw data, you process it, and the process of coming up with the conclusion. We actually used the word derive, like sometimes you'll say, we derive intelligence from data collection and analysis. Let me say that again. You collect data, you analyze, you derive intelligence. We call that whole process, threat hunting or hunting, ain't that cool? It's something that I think a lot of people watching this view, young person, and you really like Cyber Security. My guess is, better than average chance, that if you do get into this business, threat hunting is something you probably would be doing at some portion of your career. I spent a lot of my career doing it, it's fun. There's a little bit of detective work involved. There's some mathematics involved and then certainly you have to understand the basics of whatever system you're looking at if you're doing threat hunting, say in the context of a big industrial control system, like a power plant, you're going to have to know something about how power plants work. If you're doing the same work for a bank, then you're going to have to know something about financial transactions, because you're hunting for conditions that are likely being put in place by a malicious intruder who wants to bring harm to your company. The way you attack a bank is you go into the finance, we go after a power plant is you go after their operations. So, the Threat Hunter is there to try to detect, and hopefully prevent problems before they occur. So, let's look at a very simple case, it's very consistent with some previous discussion that we have. We have an audit log, again that big data lake, it's our information and we see a whole bunch of activity records there. Now, what's important when you look at this, on the chart immediately, is that there's a lot of unrelated log activity records. That means, it's not at all just the stuff you're looking for, there's a lot of other stuff interspersed, so the first thing that has to happen, generally when you're doing hunting, is you need access to everything and you have to come up with a way to identify the things that are relevant. You can see on the chart, like these dotted lines to the shaded password guessing that's going on in a big audit log, that's interspersed with a lot of stuff, there's absolutely nothing to do with password guessing. The hunter needs to go through this. The diagram is so obvious, you'd say, oh look it's so obvious it's shaded in the PowerPoint chart, my gosh, how obvious could this be. Well it's anything but obvious. In reality, you're hunting through maybe reams of data, looking for needles in haystacks sometimes. Now, once that's the case, then clearly the next step is to do some sort of analysis and signatures have always been the basis. But as we've talked about in other videos, the possibility exists that you do some sort of profiling. And that's where the power of signature, and also management by exception using profiles, and using deviations from norm, and where actual and expected have some differences, all of the above are at the disposal of the Threat Hunter, they're all tools that a Threat Hunter would use to try and derive some sort of intelligence. What I want you to take from this is, you collect data, it's not so easy when you're collecting to just get the things that are relevant, collect everything, you have to do some sort of a filter to find what's relevant. You do analysis that might be based on signatures, might be based on profiles, or could be based on something else some sort of intelligence that could be driven by your understanding of how business operates. And then from that, you derive useful intelligence, on which you'll take action or someone will take action. Turn the system off. Call the police. Whatever. It could be any, or do nothing. And maybe you come to the conclusion that nothing is going on. So hunting is an exciting discipline, something that I think is going to grow significantly, as a component of cyber security as a profession. Now, to test our understanding, I've got a little bit of a quiz here. And the obvious answer is D, right? All of those are reasonable, I mean when you think about hunting in a security operation center, your instinct is going to be that there'll be a lot of different conditions, and a lot of different approaches that you can use to derive intelligence. This really is an exciting branch of cyber security and I hope this little video inspires some of you to chase this as a potential career. So, I hope this has been fun and helpful for you. We'll see you in the next video.
