Hunting on Endpoints: Insights from OffSec TH-200 Course module 5 Section 1
In today’s world, our workstations, servers, and mobile devices are more vulnerable than ever. They are prime targets for cybercriminals looking to execute malicious code and infiltrate networks. With the rise of sophisticated attacks, it’s critical to get ahead of the game—and that's where endpoint threat hunting comes in.
Rather than waiting for threats to strike, endpoint threat hunting allows security teams to proactively seek out suspicious activities on devices before they become a serious problem. It’s about staying one step ahead and ensuring your organization’s data and systems remain secure.
Cracking the Code: Indicators of Compromise (IoCs) to Watch
When hunting on endpoints, threat hunters focus on three primary types of Indicators of Compromise (IoCs):
- Network-related IoCs: Suspicious IP addresses, domains, or URLs tied to known malicious activities.
- File-related IoCs: Unique identifiers like file hashes (MD5, SHA-256) and suspicious file behavior that hint at potential threats.
- Behavioral IoCs: User activities or system behaviors that deviate from the norm, signaling something is off.
These IoCs are the bread and butter of identifying malicious activities. But not all IoCs are created equal—each type provides different clues about what’s happening on your endpoints.
Network-related IoCs
Think of these as red flags within your network traffic—IP addresses or domains that point directly to bad actors. These have been covered in detail in previous modules, so let’s dive into something more dynamic.
File-related IoCs
File hashes are like fingerprints—every file has a unique one. By comparing file hashes to known malware, you can quickly flag files that pose a threat. But be warned: sophisticated attackers frequently change file signatures, so it’s crucial to stay vigilant and up to date.
Behavioral IoCs
This is where things get interesting. Unlike static indicators like file hashes, behavioral IoCs look at the bigger picture—patterns in how users or systems behave. If a process is running that shouldn’t be, or if users are suddenly doing things they’ve never done before, it could point to malicious activity.