Proactive Threat Hunting Before the Boom
Key Points
- “Left of boom” refers to the pre‑attack reconnaissance phase, while “right of boom” covers post‑attack recovery, highlighting the need to consider both before and after an incident.
- Current industry metrics show a mean time to identify (MTID) of ~200 days and a mean time to contain (MTTC) of ~70 days, meaning organizations often spend roughly 270 days from breach to full recovery.
- Reducing the gap between the actual breach (“boom”) and detection requires proactive threat hunting that can spot malicious activity before alarms fire.
- Threat hunting relies on forming hypotheses and leveraging indicators of compromise (IOCs), indicators of attack, and external threat intelligence feeds to identify suspicious behavior early.
- Unlike reactive investigations, threat hunting is a forward‑looking, hypothesis‑driven process aimed at detecting and mitigating threats during the reconnaissance phase.
Full Transcript
# Proactive Threat Hunting Before the Boom **Source:** [https://www.youtube.com/watch?v=VNp35Uw_bSM](https://www.youtube.com/watch?v=VNp35Uw_bSM) **Duration:** 00:06:41 ## Summary - “Left of boom” refers to the pre‑attack reconnaissance phase, while “right of boom” covers post‑attack recovery, highlighting the need to consider both before and after an incident. - Current industry metrics show a mean time to identify (MTID) of ~200 days and a mean time to contain (MTTC) of ~70 days, meaning organizations often spend roughly 270 days from breach to full recovery. - Reducing the gap between the actual breach (“boom”) and detection requires proactive threat hunting that can spot malicious activity before alarms fire. - Threat hunting relies on forming hypotheses and leveraging indicators of compromise (IOCs), indicators of attack, and external threat intelligence feeds to identify suspicious behavior early. - Unlike reactive investigations, threat hunting is a forward‑looking, hypothesis‑driven process aimed at detecting and mitigating threats during the reconnaissance phase. ## Sections - [00:00:00](https://www.youtube.com/watch?v=VNp35Uw_bSM&t=0s) **Left and Right of Boom** - The speaker explains the pre‑attack reconnaissance ("left of boom") and post‑attack recovery ("right of boom"), highlighting the lengthy detection (≈200 days) and containment (≈70 days) periods that together total roughly 270 days. ## Full Transcript
boom
you've just been attacked the bad guys
in your system and your hemorrhaging
data now this was not an isolated
incident there was a time that led up to
this and there was a time that happened
after the time that led up to it going
back and preceding this we call left of
boom and the time after it when we're
trying to discover that's the time that
we call right of Boom so in this first
phase we're basically doing the bad guy
is doing reconnaissance he's looking at
your systems he's probing them he's
trying to figure out where the weak
spots are where the good data is and the
time after boom is when we want to be
doing recovery
the problem is we don't always know when
boom occurred at the time it occurred
there's a lag between boom and alarm
this is when we find out
when the attack has occurred which is
not the same as when it actually
occurred
now if we look at these kinds of of
intervals what could we do about this
well there's a time here you can see
that is the mean time to identify what
the problem is according to poneman's
Institute survey in 2022 the mean time
to identify is on the order of 200 days
that's how long it takes to figure out
that the bad guy is already in your
system
and further still there's this notion of
mean time to contain and the mean time
to contain is on the order of 70 days
you put those two together you're at
about 270 days total between when boom
occurred and when now we finally got
everything recovered
there clearly would be some Advantage if
we could go back in time and discover
and boom and bring the interval between
the alarm and the boom closer together
or even go back before boom and start to
realize during the reconnaissance phase
that something is amiss something is
happening in this phase and this
timeline in this area is when we could
be doing
what we call threat hunting I could do a
hunt and we'll talk about what that
involves after the Hunt is when we start
doing the investigation
and the investigation is reactive
The Hunt is proactive that's the big
difference here so as much as possible
it would be nice if we could go back and
anticipate some of these things
now how does this work well it turns out
we're going to take if we're doing
threat hunting we're basically going to
develop a hypothesis you have someone
that's acting as an investigator but
they're investigating things that maybe
have not fully happened yet or in the
process of happening so no alarms have
gone off what are we going to use well
we're going to use things like
indicators of compromise
that's information that we can gather
from our systems that tell us that
someone has done something here that has
breached maybe it's a small hole here a
small hole there are other things like
indicators of attack that may be in here
as well that says someone is knocking on
the door they might not have fully
gotten in but they did some things that
we should be concerned about
other sources of information would be
security intelligence threat feeds so
Intel feeds that tell us that there are
certain types of vulnerabilities that
are being exploited on the internet
these days and certain things that are
happening maybe in a particular sector
or in a particular geography this is
security intelligence we'd like to use
that kind of information and leverage it
to our best ability as well then we
could do some vulnerability scans on our
environment and that would tell us what
the bad guy is also seeing and that is
that there are vulnerabilities here
there are systems that are weak here
this is the soft underbelly this is what
the bad guys doing why wouldn't we do
the same thing
then an intelligent threat Hunter who
has some experience and some insight
into this is going to use basically
their experience and a little bit of
intuition to
connect the dots and say these things
that seemed isolated in fact are not
they're all grouped together we connect
the dots and we realize before the boom
has occurred that in fact this is the
setup that's about to result in a data
breach or it could be in this range of
time when some things maybe have we've
already been attacked but the alarm
hasn't gone off but we're going to see
the telltale signs and those are the
things that we're looking for now what
would an experienced threat Hunter use
in terms of the tools to gather all of
this information well they would use
some tools like an xdr
extended detection and response
capability and I've talked about this in
a previous video another thing that we'd
use is a security information and event
management system something that goes
out and gathers information from all of
my sources of security Telemetry all of
the logs all of the flow data all of the
different sources that might give me
security intelligence and these two in
fact can be related in feeding to each
other and then another related
technology that often relates to these
as well is a user Behavior analytics
capability and the uba would look for
anomalous user activities here's a user
that's performing differently than what
their peer group is doing and therefore
they're drawing suspicion and then we
would ultimately want to take all of
those Technologies and Infuse them with
artificial intelligence so that we can
get to the point find the source get to
our investigation faster and do the
reporting and hopefully a uncover this
issue before the boom and if not at
least very soon after the boom because
what we're trying to do is avoid two
numbers
there's one number 270 and another
number 4 million what do those mean 270
is roughly the number of days between
boom and containment according to the
ponymon Institute also according to that
same survey 4 million is the average
cost of a data breach that's what we're
trying to avoid
foreign