White Paper: Hunting with Prevention

Traditional endpoint protection such as antivirus, while effective in some cases, is no match for the ever-changing techniques that attackers use to get past defenses, according to multiple SANS surveys. The survey also show that attackers get around traditional defenses, dependent on indicators of compromise (IOCs) and signatures, by targeting authorized users. Through phishing and drive-by downloads, they gain authorized access by hijacking legitimate credentials and administrative tools. Additionally, attackers continue to diversify endpoint and network utilization to stay one step ahed of signature-based defenses.

To use threat hunting for prevention, security teams need to identify host-based choke points in the environment where adversaries will likely be noticeable or leave traces. Security teams also must be ready to block them at those points. This paper describes the host-based artifacts that attackers use to compromise networks, along with how to identify the most effective plans to block them.