Threat hunting adalah proaktif mencari threat sebelum alarm berbunyi.
Hunting Loop
Hypothesis -> Data Collection -> Analysis -> TTP Match -> Automation
^ |
+--------------------------------------------------------+
Data Sources
- Network logs (Zeek, NetFlow, DNS)
- Endpoint logs (Sysmon, EDR, Windows Event Log)
- Cloud logs (CloudTrail, Azure Activity Log)
- Identity logs (AD, Okta, VPN)
Detection Techniques
- Anomaly detection (baseline + deviation)
- TTP mapping (MITRE ATT&CK)
- IoA (Indicator of Attack) vs IoC
- Chain analysis (correlate multiple events)