threat-detection
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseThreat Detection
威胁检测
Threat detection skill for proactive discovery of attacker activity through hypothesis-driven hunting, IOC analysis, and behavioral anomaly detection. This is NOT incident response (see incident-response) or red team operations (see red-team) — this is about finding threats that have evaded automated controls.
本技能用于通过假设驱动的威胁狩猎、IOC分析和行为异常检测,主动发现攻击者活动。注意:这并非事件响应(详见incident-response)或红队操作(详见red-team)——而是针对规避了自动化控制的威胁进行排查。
Table of Contents
目录
Overview
概述
What This Skill Does
本技能的作用
This skill provides the methodology and tooling for proactive threat detection — finding attacker activity through structured hunting hypotheses, IOC analysis, and statistical anomaly detection before alerts fire.
本技能提供主动威胁检测的方法论和工具——通过结构化狩猎假设、IOC分析和统计异常检测,在警报触发前发现攻击者活动。
Distinction from Other Security Skills
与其他安全技能的区别
| Skill | Focus | Approach |
|---|---|---|
| threat-detection (this) | Finding hidden threats | Proactive — hunt before alerts |
| incident-response | Active incidents | Reactive — contain and investigate declared incidents |
| red-team | Offensive simulation | Offensive — test defenses from attacker perspective |
| cloud-security | Cloud misconfigurations | Posture — IAM, S3, network exposure |
| 技能 | 核心关注点 | 方法 |
|---|---|---|
| 威胁检测(本技能) | 发现隐藏威胁 | 主动式——在警报触发前开展狩猎 |
| 事件响应 | 活跃事件 | 被动式——遏制并调查已上报的事件 |
| 红队 | 攻击性模拟 | 进攻式——从攻击者视角测试防御能力 |
| 云安全 | 云配置错误 | 态势管理——IAM、S3、网络暴露 |
Prerequisites
前置条件
Read access to SIEM/EDR telemetry, endpoint logs, and network flow data. IOC feeds require freshness within 30 days to avoid false positives. Hunting hypotheses must be scoped to the environment before execution.
拥有SIEM/EDR遥测数据、终端日志和网络流量数据的读取权限。IOC源需要保持30天内的时效性,以避免误报。狩猎假设在执行前必须限定在特定环境范围内。
Threat Signal Analyzer
威胁信号分析器
The tool supports three modes: (hypothesis scoring), (sweep generation), and (statistical detection).
threat_signal_analyzer.pyhuntiocanomalybash
undefinedthreat_signal_analyzer.pyhuntiocanomalybash
undefinedHunt mode: score a hypothesis against MITRE ATT&CK coverage
Hunt模式:根据MITRE ATT&CK覆盖范围对假设进行评分
python3 scripts/threat_signal_analyzer.py --mode hunt
--hypothesis "Lateral movement via PtH using compromised service account"
--actor-relevance 3 --control-gap 2 --data-availability 2 --json
--hypothesis "Lateral movement via PtH using compromised service account"
--actor-relevance 3 --control-gap 2 --data-availability 2 --json
python3 scripts/threat_signal_analyzer.py --mode hunt
--hypothesis "Lateral movement via PtH using compromised service account"
--actor-relevance 3 --control-gap 2 --data-availability 2 --json
--hypothesis "Lateral movement via PtH using compromised service account"
--actor-relevance 3 --control-gap 2 --data-availability 2 --json
IOC mode: generate sweep targets from an IOC feed file
IOC模式:从IOC源文件生成扫描目标
python3 scripts/threat_signal_analyzer.py --mode ioc
--ioc-file iocs.json --json
--ioc-file iocs.json --json
python3 scripts/threat_signal_analyzer.py --mode ioc
--ioc-file iocs.json --json
--ioc-file iocs.json --json
Anomaly mode: detect statistical outliers in telemetry events
Anomaly模式:检测遥测事件中的统计异常值
python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file telemetry.json
--baseline-mean 100 --baseline-std 25 --json
--events-file telemetry.json
--baseline-mean 100 --baseline-std 25 --json
python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file telemetry.json
--baseline-mean 100 --baseline-std 25 --json
--events-file telemetry.json
--baseline-mean 100 --baseline-std 25 --json
List all supported MITRE ATT&CK techniques
列出所有支持的MITRE ATT&CK技术
python3 scripts/threat_signal_analyzer.py --list-techniques
undefinedpython3 scripts/threat_signal_analyzer.py --list-techniques
undefinedIOC file format
IOC文件格式
json
{
"ips": ["1.2.3.4", "5.6.7.8"],
"domains": ["malicious.example.com"],
"hashes": ["abc123def456..."]
}json
{
"ips": ["1.2.3.4", "5.6.7.8"],
"domains": ["malicious.example.com"],
"hashes": ["abc123def456..."]
}Telemetry events file format
遥测事件文件格式
json
[
{"timestamp": "2024-01-15T14:32:00Z", "entity": "host-01", "action": "dns_query", "volume": 450},
{"timestamp": "2024-01-15T14:33:00Z", "entity": "host-02", "action": "dns_query", "volume": 95}
]json
[
{"timestamp": "2024-01-15T14:32:00Z", "entity": "host-01", "action": "dns_query", "volume": 450},
{"timestamp": "2024-01-15T14:33:00Z", "entity": "host-02", "action": "dns_query", "volume": 95}
]Exit codes
退出码
| Code | Meaning |
|---|---|
| 0 | No high-priority findings |
| 1 | Medium-priority signals detected |
| 2 | High-priority confirmed findings |
| 代码 | 含义 |
|---|---|
| 0 | 无高优先级发现 |
| 1 | 检测到中等优先级信号 |
| 2 | 确认存在高优先级发现 |
Threat Hunting Methodology
威胁狩猎方法论
Structured threat hunting follows a five-step loop: hypothesis → data source identification → query execution → finding triage → feedback to detection engineering.
结构化威胁狩猎遵循五步循环:假设→数据源识别→查询执行→发现分类→反馈给检测工程团队。
Hypothesis Scoring
假设评分
| Factor | Weight | Description |
|---|---|---|
| Actor relevance | ×3 | How closely does this TTP match known threat actors in your sector? |
| Control gap | ×2 | How many of your existing controls would miss this behavior? |
| Data availability | ×1 | Do you have the telemetry data needed to test this hypothesis? |
Priority score = (actor_relevance × 3) + (control_gap × 2) + (data_availability × 1)
| 因素 | 权重 | 描述 |
|---|---|---|
| 攻击者相关性 | ×3 | 该TTP与所在行业已知威胁攻击者的匹配程度? |
| 控制缺口 | ×2 | 现有控制措施中有多少会遗漏该行为? |
| 数据可用性 | ×1 | 是否具备测试该假设所需的遥测数据? |
优先级得分 = (攻击者相关性 × 3) + (控制缺口 × 2) + (数据可用性 × 1)
High-Value Hunt Hypotheses by Tactic
按战术划分的高价值狩猎假设
| Hypothesis | MITRE ID | Data Sources | Priority Signal |
|---|---|---|---|
| WMI lateral movement via remote execution | T1047 | WMI logs, EDR process telemetry | WMI process spawned from WINRM, unusual parent-child chain |
| LOLBin execution for defense evasion | T1218 | Process creation, command-line args | certutil.exe, regsvr32.exe, mshta.exe with network activity |
| Beaconing C2 via jitter-heavy intervals | T1071.001 | Proxy logs, DNS logs | Regular interval outbound connections ±10% jitter |
| Pass-the-Hash lateral movement | T1550.002 | Windows security event 4624 type 3 | NTLM auth from unexpected source host to admin share |
| LSASS memory access | T1003.001 | EDR memory access events | OpenProcess on lsass.exe from non-system process |
| Kerberoasting | T1558.003 | Windows event 4769 | High volume TGS requests for service accounts |
| Scheduled task persistence | T1053.005 | Sysmon Event 1/11, Windows 4698 | Scheduled task created in non-standard directory |
| 假设 | MITRE ID | 数据源 | 优先级信号 |
|---|---|---|---|
| 通过远程执行进行WMI横向移动 | T1047 | WMI日志、EDR进程遥测 | 从WINRM生成的WMI进程、异常父子进程链 |
| 执行LOLBin以规避防御 | T1218 | 进程创建、命令行参数 | 带有网络活动的certutil.exe、regsvr32.exe、mshta.exe |
| 通过抖动间隔进行Beaconing C2通信 | T1071.001 | 代理日志、DNS日志 | 具有±10%抖动的定期出站连接 |
| 哈希传递(PtH)横向移动 | T1550.002 | Windows安全事件4624类型3 | 从意外源主机到管理员共享的NTLM认证 |
| LSASS内存访问 | T1003.001 | EDR内存访问事件 | 非系统进程对lsass.exe执行OpenProcess操作 |
| Kerberoasting攻击 | T1558.003 | Windows事件4769 | 针对服务账户的大量TGS请求 |
| 计划任务持久化 | T1053.005 | Sysmon事件1/11、Windows事件4698 | 在非标准目录中创建的计划任务 |
IOC Analysis
IOC分析
IOC analysis determines whether indicators are fresh, maps them to required sweep targets, and filters stale data that generates false positives.
IOC分析用于判断指标是否新鲜,映射到所需扫描目标,并过滤会产生误报的陈旧数据。
IOC Types and Sweep Priority
IOC类型与扫描优先级
| IOC Type | Staleness Threshold | Sweep Target | MITRE Coverage |
|---|---|---|---|
| IP addresses | 30 days | Firewall logs, NetFlow, proxy logs | T1071, T1105 |
| Domains | 30 days | DNS resolver logs, proxy logs | T1568, T1583 |
| File hashes | 90 days | EDR file creation, AV scan logs | T1105, T1027 |
| URLs | 14 days | Proxy access logs, browser history | T1566.002 |
| Mutex names | 180 days | EDR runtime artifacts | T1055 |
| IOC类型 | 陈旧阈值 | 扫描目标 | MITRE覆盖范围 |
|---|---|---|---|
| IP地址 | 30天 | 防火墙日志、NetFlow、代理日志 | T1071, T1105 |
| 域名 | 30天 | DNS解析器日志、代理日志 | T1568, T1583 |
| 文件哈希 | 90天 | EDR文件创建记录、AV扫描日志 | T1105, T1027 |
| URL | 14天 | 代理访问日志、浏览器历史 | T1566.002 |
| 互斥体名称 | 180天 | EDR运行时 artifacts | T1055 |
IOC Staleness Handling
IOC陈旧性处理
IOCs older than their threshold are flagged as and excluded from sweep target generation. Running sweeps against stale IOCs inflates false positive rates and reduces SOC credibility. Refresh IOC feeds from threat intelligence platforms (MISP, OpenCTI, commercial TI) before every hunt cycle.
stale超过阈值的IOC会被标记为(陈旧),并排除在扫描目标生成范围之外。针对陈旧IOC运行扫描会提高误报率,降低SOC可信度。每次狩猎周期前,需从威胁情报平台(MISP、OpenCTI、商用TI)刷新IOC源。
staleAnomaly Detection
异常检测
Statistical anomaly detection identifies behavior that deviates from established baselines without relying on known-bad signatures.
统计异常检测用于识别偏离既定基线的行为,无需依赖已知恶意特征。
Z-Score Thresholds
Z分数阈值
| Z-Score | Classification | Response |
|---|---|---|
| < 2.0 | Normal | No action required |
| 2.0–2.9 | Soft anomaly | Log and monitor — increase sampling |
| ≥ 3.0 | Hard anomaly | Escalate to hunt analyst — investigate entity |
| Z分数 | 分类 | 响应措施 |
|---|---|---|
| < 2.0 | 正常 | 无需操作 |
| 2.0–2.9 | 软异常 | 记录并监控——增加采样频率 |
| ≥ 3.0 | 硬异常 | 上报给狩猎分析师——调查相关实体 |
Baseline Requirements
基线要求
Effective anomaly detection requires at least 14 days of historical telemetry to establish a valid baseline. Baselines must be recomputed after:
- Security incidents (post-incident behavior change)
- Major infrastructure changes (cloud migrations, new SaaS deployments)
- Seasonal usage pattern changes (end of quarter, holiday periods)
有效的异常检测需要至少14天的历史遥测数据来建立有效基线。在以下情况后必须重新计算基线:
- 安全事件(事件后行为变化)
- 重大基础设施变更(云迁移、新SaaS部署)
- 季节性使用模式变化(季度末、节假日)
High-Value Anomaly Targets
高价值异常检测目标
| Entity Type | Metric | Anomaly Indicator |
|---|---|---|
| DNS resolver | Queries per hour per host | Beaconing, tunneling, DGA |
| Endpoint | Unique process executions per day | Malware installation, LOLBin abuse |
| Service account | Auth events per hour | Credential stuffing, lateral movement |
| Email gateway | Attachment types per hour | Phishing campaign spike |
| Cloud IAM | API calls per identity per hour | Credential compromise, exfiltration |
| 实体类型 | 指标 | 异常指示器 |
|---|---|---|
| DNS解析器 | 每小时每主机查询次数 | Beaconing、隧道、DGA |
| 终端 | 每日唯一进程执行数 | 恶意软件安装、LOLBin滥用 |
| 服务账户 | 每小时认证事件数 | 凭证填充、横向移动 |
| 邮件网关 | 每小时附件类型数 | 钓鱼活动激增 |
| 云IAM | 每身份每小时API调用数 | 凭证泄露、数据泄露 |
MITRE ATT&CK Signal Prioritization
基于MITRE ATT&CK的信号优先级排序
Each hunting hypothesis maps to one or more ATT&CK techniques. Techniques with multiple confirmed signals in your environment are higher priority.
每个狩猎假设都映射到一个或多个ATT&CK技术。在环境中存在多个确认信号的技术优先级更高。
Tactic Coverage Matrix
战术覆盖矩阵
| Tactic | Key Techniques | Primary Data Source |
|--------|---------------|--------------------|-|
| Initial Access | T1190, T1566, T1078 | Web access logs, email gateway, auth logs |
| Execution | T1059, T1047, T1218 | Process creation, command-line, script execution |
| Persistence | T1053, T1543, T1098 | Scheduled tasks, services, account changes |
| Defense Evasion | T1027, T1562, T1070 | Process hollowing, log clearing, encoding |
| Credential Access | T1003, T1558, T1110 | LSASS, Kerberos, auth failures |
| Lateral Movement | T1550, T1021, T1534 | NTLM auth, remote services, internal spearphish |
| Collection | T1074, T1560, T1114 | Staging directories, archive creation, email access |
| Exfiltration | T1048, T1041, T1567 | Unusual outbound volume, DNS tunneling, cloud storage |
| Command & Control | T1071, T1572, T1568 | Beaconing, protocol tunneling, DNS C2 |
| 战术 | 核心技术 | 主要数据源 |
|---|---|---|
| 初始访问 | T1190, T1566, T1078 | Web访问日志、邮件网关、认证日志 |
| 执行 | T1059, T1047, T1218 | 进程创建、命令行、脚本执行 |
| 持久化 | T1053, T1543, T1098 | 计划任务、服务、账户变更 |
| 防御规避 | T1027, T1562, T1070 | 进程注入、日志清除、编码 |
| 凭证获取 | T1003, T1558, T1110 | LSASS、Kerberos、认证失败 |
| 横向移动 | T1550, T1021, T1534 | NTLM认证、远程服务、内部鱼叉式钓鱼 |
| 数据收集 | T1074, T1560, T1114 | 暂存目录、归档创建、邮件访问 |
| 数据泄露 | T1048, T1041, T1567 | 异常出站流量、DNS隧道、云存储 |
| 命令与控制 | T1071, T1572, T1568 | Beaconing、协议隧道、DNS C2 |
Deception and Honeypot Integration
欺骗技术与蜜罐集成
Deception assets generate high-fidelity alerts — any interaction with a honeypot is an unambiguous signal requiring investigation.
欺骗资产会生成高保真警报——任何与蜜罐的交互都是明确的信号,需要进行调查。
Deception Asset Types and Placement
欺骗资产类型与部署位置
| Asset Type | Placement | Signal | ATT&CK Technique |
|---|---|---|---|
| Honeypot credentials in password vault | Vault secrets store | Credential access attempt | T1555 |
| Honey tokens (fake AWS access keys) | Git repos, S3 objects | Reconnaissance or exfiltration | T1552.004 |
| Honey files (named: passwords.xlsx) | File shares, endpoints | Collection staging | T1074 |
| Honey accounts (dormant AD users) | Active Directory | Lateral movement pivot | T1078.002 |
| Honeypot network services | DMZ, flat network segments | Network scanning, service exploitation | T1046, T1190 |
Honeypot alerts bypass the standard scoring pipeline — any hit is an automatic SEV2 until proven otherwise.
| 资产类型 | 部署位置 | 信号 | ATT&CK技术 |
|---|---|---|---|
| 密码库中的蜜罐凭证 | 凭证存储库 | 凭证访问尝试 | T1555 |
| 蜜罐令牌(伪造AWS访问密钥) | Git仓库、S3对象 | 侦察或数据泄露 | T1552.004 |
| 蜜罐文件(命名:passwords.xlsx) | 文件共享、终端 | 数据收集暂存 | T1074 |
| 蜜罐账户(休眠AD用户) | Active Directory | 横向移动支点 | T1078.002 |
| 蜜罐网络服务 | DMZ、扁平网段 | 网络扫描、服务利用 | T1046, T1190 |
蜜罐警报跳过标准评分流程——任何命中都会自动标记为SEV2,除非被证明是误报。
Workflows
工作流
Workflow 1: Quick Hunt (30 Minutes)
工作流1:快速狩猎(30分钟)
For responding to a new threat intelligence report or CVE alert:
bash
undefined用于响应新的威胁情报报告或CVE警报:
bash
undefined1. Score hypothesis against environment context
1. 根据环境上下文对假设进行评分
python3 scripts/threat_signal_analyzer.py --mode hunt
--hypothesis "Exploitation of CVE-YYYY-NNNNN in Apache"
--actor-relevance 2 --control-gap 3 --data-availability 2 --json
--hypothesis "Exploitation of CVE-YYYY-NNNNN in Apache"
--actor-relevance 2 --control-gap 3 --data-availability 2 --json
python3 scripts/threat_signal_analyzer.py --mode hunt
--hypothesis "Exploitation of CVE-YYYY-NNNNN in Apache"
--actor-relevance 2 --control-gap 3 --data-availability 2 --json
--hypothesis "Exploitation of CVE-YYYY-NNNNN in Apache"
--actor-relevance 2 --control-gap 3 --data-availability 2 --json
2. Build IOC sweep list from threat intel
2. 从威胁情报构建IOC扫描列表
echo '{"ips": ["1.2.3.4"], "domains": ["malicious.tld"], "hashes": []}' > iocs.json
python3 scripts/threat_signal_analyzer.py --mode ioc --ioc-file iocs.json --json
echo '{"ips": ["1.2.3.4"], "domains": ["malicious.tld"], "hashes": []}' > iocs.json
python3 scripts/threat_signal_analyzer.py --mode ioc --ioc-file iocs.json --json
3. Check for anomalies in web server telemetry from last 24h
3. 检查过去24小时内Web服务器遥测数据中的异常
python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file web_events_24h.json --baseline-mean 80 --baseline-std 20 --json
--events-file web_events_24h.json --baseline-mean 80 --baseline-std 20 --json
**Decision**: If hunt priority ≥ 7 or any IOC sweep hits, escalate to full hunt.python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file web_events_24h.json --baseline-mean 80 --baseline-std 20 --json
--events-file web_events_24h.json --baseline-mean 80 --baseline-std 20 --json
**决策**:如果狩猎优先级≥7或任何IOC扫描命中,则升级为完整狩猎。Workflow 2: Full Threat Hunt (Multi-Day)
工作流2:完整威胁狩猎(多天)
Day 1 — Hypothesis Generation:
- Review threat intelligence feeds for sector-relevant TTPs
- Map last 30 days of security alerts to ATT&CK tactics to identify gaps
- Score top 5 hypotheses with threat_signal_analyzer.py hunt mode
- Prioritize by score — start with highest
Day 2 — Data Collection and Query Execution:
- Pull relevant telemetry from SIEM (date range: last 14 days)
- Run anomaly detection across entity baselines
- Execute IOC sweeps for all feeds fresh within 30 days
- Review hunt playbooks in
references/hunt-playbooks.md
Day 3 — Triage and Reporting:
- Triage all anomaly findings — confirm or dismiss
- Escalate confirmed activity to incident-response
- Document new detection rules from hunt findings
- Submit false-positive IOCs back to TI provider
第1天——假设生成:
- 查看威胁情报源,获取行业相关的TTP
- 将过去30天的安全警报映射到ATT&CK战术,识别缺口
- 使用threat_signal_analyzer.py的hunt模式对前5个假设进行评分
- 按得分排序——从最高分开始
第2天——数据收集与查询执行:
- 从SIEM提取相关遥测数据(时间范围:过去14天)
- 跨实体基线运行异常检测
- 对所有30天内的新鲜IOC源执行扫描
- 查看中的狩猎手册
references/hunt-playbooks.md
第3天——分类与报告:
- 对所有异常发现进行分类——确认或驳回
- 将确认的活动升级到事件响应流程
- 根据狩猎发现记录新的检测规则
- 将误报IOC反馈给TI提供商
Workflow 3: Continuous Monitoring (Automated)
工作流3:持续监控(自动化)
Configure recurring anomaly detection against key entity baselines on a 6-hour cadence:
bash
undefined配置针对关键实体基线的定期异常检测,每6小时执行一次:
bash
undefinedRun as cron job every 6 hours — auto-escalate on exit code 2
作为cron任务每6小时运行一次——退出码为2时自动上报
python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file /var/log/telemetry/events_6h.json
--baseline-mean "${BASELINE_MEAN}"
--baseline-std "${BASELINE_STD}"
--json > /var/log/threat-detection/$(date +%Y%m%d_%H%M%S).json
--events-file /var/log/telemetry/events_6h.json
--baseline-mean "${BASELINE_MEAN}"
--baseline-std "${BASELINE_STD}"
--json > /var/log/threat-detection/$(date +%Y%m%d_%H%M%S).json
python3 scripts/threat_signal_analyzer.py --mode anomaly
--events-file /var/log/telemetry/events_6h.json
--baseline-mean "${BASELINE_MEAN}"
--baseline-std "${BASELINE_STD}"
--json > /var/log/threat-detection/$(date +%Y%m%d_%H%M%S).json
--events-file /var/log/telemetry/events_6h.json
--baseline-mean "${BASELINE_MEAN}"
--baseline-std "${BASELINE_STD}"
--json > /var/log/threat-detection/$(date +%Y%m%d_%H%M%S).json
Alert on exit code 2 (hard anomaly)
退出码为2(硬异常)时触发警报
if [ $? -eq 2 ]; then
send_alert "Hard anomaly detected — threat_signal_analyzer"
fi
---if [ $? -eq 2 ]; then
send_alert "Hard anomaly detected — threat_signal_analyzer"
fi
---Anti-Patterns
反模式
- Hunting without a hypothesis — Running broad queries across all telemetry without a focused question generates noise, not signal. Every hunt must start with a testable hypothesis scoped to one or two ATT&CK techniques.
- Using stale IOCs — IOCs older than 30 days generate false positives that train analysts to ignore alerts. Always check IOC freshness before sweeping; exclude stale indicators from automated sweeps.
- Skipping baseline establishment — Anomaly detection without a valid baseline produces alerts on normal high-volume days. Require 14+ days of baseline data before enabling statistical alerting on any entity type.
- Hunting only known techniques — Hunting exclusively against documented ATT&CK techniques misses novel adversary behavior. Regularly include open-ended anomaly analysis that can surface unknown TTPs.
- Not closing the feedback loop to detection engineering — Hunt findings that confirm malicious behavior must produce new detection rules. Hunting that doesn't improve detection coverage has no lasting value.
- Treating every anomaly as a confirmed threat — High z-scores indicate deviation from baseline, not confirmed malice. All anomalies require human triage to confirm or dismiss before escalation.
- Ignoring honeypot alerts — Any interaction with a deception asset is a high-fidelity signal. Treating honeypot alerts as noise invalidates the entire deception investment.
- 无假设狩猎——在所有遥测数据中运行宽泛查询而没有明确目标,只会产生噪音而非有效信号。每次狩猎必须从一个可测试的假设开始,限定在一到两个ATT&CK技术范围内。
- 使用陈旧IOC——超过30天的IOC会产生误报,导致分析师忽略警报。扫描前务必检查IOC时效性;自动扫描中排除陈旧指标。
- 跳过基线建立——没有有效基线的异常检测会在正常高流量时段产生警报。在对任何实体类型启用统计警报前,必须收集14天以上的基线数据。
- 仅针对已知技术狩猎——仅针对已记录的ATT&CK技术进行狩猎会遗漏攻击者的新型行为。定期开展开放式异常分析,以发现未知TTP。
- 未向检测工程团队反馈——确认存在恶意行为的狩猎发现必须转化为新的检测规则。无法提升检测覆盖范围的狩猎没有长期价值。
- 将所有异常视为已确认威胁——高Z分数仅表示偏离基线,而非确认恶意。所有异常都需要人工分类,确认后再上报。
- 忽略蜜罐警报——任何与欺骗资产的交互都是高保真信号。将蜜罐警报视为噪音会使整个欺骗投资失效。
Cross-References
交叉引用
| Skill | Relationship |
|---|---|
| incident-response | Confirmed threats from hunting escalate to incident-response for triage and containment |
| red-team | Red team exercises generate realistic TTPs that inform hunt hypothesis prioritization |
| cloud-security | Cloud posture findings (open S3, IAM wildcards) create hunting targets for data exfiltration TTPs |
| security-pen-testing | Pen test findings identify attack surfaces that threat hunting should monitor post-remediation |
| 技能 | 关系 |
|---|---|
| 事件响应 | 狩猎发现的已确认威胁会升级到事件响应流程进行分类和遏制 |
| 红队 | 红队演练生成的真实TTP可为狩猎假设优先级排序提供参考 |
| 云安全 | 云态势发现(开放S3、IAM通配符)可作为数据泄露TTP的狩猎目标 |
| 安全渗透测试 | 渗透测试发现可识别攻击面,威胁狩猎应在修复后持续监控这些区域 |