Threat Hunting and training such as GCFA are proving to be beneficial to lower the internal detection and dwell time. Not long ago we were discussing the long time that was taking to do internal detection and average dwell time but this is currently changing.
Rob Lee and the SANS Institute in their GCFA update for this course are stating how they are starting to see some fruitful results as a result of Threat Hunting.
Internal discovery of a compromise is gaining momentum with an increase from 20% to nearly 50 % and therefore the dwell time is getting shorter thus reducing risk for organizations. The difference is driven by Threat Hunting and advance training such as GCFA.
Other important issues standing out from this update is SOC and DFIR skills as Rob explains are intimately related .
While the SOC detects adversary behavior, the DFIR observes and tracks the adversary behavior and the good news is that these functions do not need to be sitting on different teams. Indeed, it makes sense that the analysts are capable of pivoting from one role to the other in order to do a successful detection.
Threat Hunting is proactively changing the industry and also the standards needed for professionals to successfully strive in a threat hunting – detection capability.
The presentation also takes a high level approach introducing the last topics covered in the course and the last techniques seen in the wild. Even if you have not attended this training I still recommend you to watch this video since it will introduce topics that you can later research.