Incident Response¶
7. THREAT HUNTING PROGRAM¶
Threat hunting is the proactive search for threats that evade automated detection systems. Abhavtech's threat hunting program follows a hypothesis-driven approach aligned with MITRE ATT&CK.
7.1 Threat Hunting Methodology¶
Hunt Maturity Model (Abhavtech: Level 3 - Procedure-Based):
| Level | Description | Abhavtech Status |
|---|---|---|
| Level 0 - Reactive | No proactive hunting, rely only on alerts | ❌ Surpassed |
| Level 1 - Ad-hoc | Occasional hunts, no process | ❌ Surpassed |
| Level 2 - Tool-Assisted | Regular hunts using SIEM, but reactive to intelligence | ❌ Surpassed |
| Level 3 - Procedure-Based | Documented hunt playbooks, weekly hunts, hypothesis-driven | ✅ Current State |
| Level 4 - Innovative | Custom tools, automation, machine learning-enhanced hunting | ⚠️ Target for 2026 |
Hunt Process (6 Steps):
- Hypothesis Development: Based on threat intelligence, MITRE ATT&CK, recent incidents
- Data Collection: Gather relevant data sources (Splunk, NetFlow, AMP, ISE logs)
- Query/Analysis: Run Splunk queries, correlate events, identify anomalies
- Investigat Investigation: Deep-dive into suspicious findings, validate true positives
- Response: Contain threats, update detections, add IOCs to threat intel
- Documentation: Hunt report (findings, IOCs, lessons learned), share with team
7.2 Weekly Hunt Calendar (Rotating Themes)¶
| Week | Hunt Theme | MITRE ATT&CK Focus | Data Sources | Expected Findings | Success Criteria |
|---|---|---|---|---|---|
| Week 1 | Phishing Infrastructure | T1566 (Phishing) | Secure Email, Umbrella DNS, Splunk email logs | Malicious domains, phishing kits, compromised accounts | Find 5+ phishing domains, block via Umbrella |
| Week 2 | Lateral Movement | T1021 (Remote Services), T1570 (Lateral Tool Transfer) | ISE auth logs, FTD flows, AMP process execution | Unusual RDP/SMB, admin account usage patterns | Identify 2+ unauthorized lateral movement attempts |
| Week 3 | Data Exfiltration | T1048 (Exfil Over Alt Protocol), T1041 (Exfil Over C2) | NetFlow, DLP logs, Umbrella proxy | Large data transfers, DNS tunneling, unusual cloud uploads | Detect 1+ data exfiltration attempt |
| Week 4 | Credential Access | T1003 (Credential Dumping), T1110 (Brute Force) | CyberArk PAM, ISE failed auth, Splunk Event ID 4624/4625 | Mimikatz usage, brute force attacks, password spraying | Find 3+ credential access attempts |
8. CONTINUOUS SECURITY MONITORING¶
8.1 Unified Security Dashboard (Splunk Enterprise Security)¶
Real-Time Security Metrics (SOC Wall Display - 4K Monitors × 6):
Monitor 1: XDR Alert Feed (Live Scroll)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[10:23:45] P2 - AMP Malware: TrojanDownloader on LAPTOP-456
[10:22:18] P3 - ISE SGT Violation: User SGT 15 → Server SGT 81 (Denied)
[10:20:05] P1 - Duo Impossible Travel: user@domain (NYC → London, 30 min)
[10:18:42] P3 - FTD IPS: SQL Injection attempt blocked (Web Server DMZ)
Monitor 2: Incident Status Board
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Open Incidents: 18
P1 Critical: 0
P2 High: 3 (avg age: 2.5 hours)
P3 Medium: 10 (avg age: 6 hours)
P4 Low: 5 (avg age: 12 hours)
SLA Compliance: 95% (target: 98%)
MTTR Today: 22 minutes (target: <120 min)
Monitor 3: Network Traffic Heatmap (ThousandEyes)
Monitor 4: Endpoint Health Status (AMP Coverage %)
Monitor 5: Authentication Success Rate (ISE/Duo)
Monitor 6: Compliance Scorecard (PCI/SOC2/ISO/GDPR)