Threat hunting requires proactively looking within the network and searching for anomalies that might indicate a breach. The vast amount of data that needs to be collected and analyzed means that it is a painstaking and time-consuming process, and the speed of this process can hamper its effectiveness. However, that can be highly improved by the use of proper data collection and analysis methods. In this article, we’ll discuss the various data collection and analysis methods that can be used by threat hunters and analysts during a hunt.
What Kind of Data Are We Collecting?
As a threat hunter, you require adequate data in order to perform your hunt. Without the right data, you cannot hunt. Let’s take a look at what qualifies as the right data used for hunting.
It’s important to also note that determining the right data depends on what you will be looking for during your hunt. Generally, data can be classified into three sections:
1. Endpoint Data
Endpoint data comes from endpoint devices within the network. These devices can, for instance, be end-user devices such as mobile phones, laptops and desktop PCs, but may also cover hardware such as servers (like in