How to enable efficient threat hunting

Tässä pro gradu -tutkielmassa keskitytään siihen, kuinka mahdollistetaan tehokas kyberuhkien metsästys. Aihetta on tärkeää tutkia, sillä uhkien metsästys on varsin uusi aihe, eikä koko prosessista ole tehty juurikaan tutkimuksia. Monet aiemmista tutkimuksista ovat keskittyneet pääasiassa tutkimusalu...

Full description

Bibliographic Details
Main Author: Tams, Roope
Other Authors: Faculty of Information Technology, Informaatioteknologian tiedekunta, University of Jyväskylä, Jyväskylän yliopisto
Format: Master's thesis
Language:eng
Published: 2024
Subjects:
Online Access: https://jyx.jyu.fi/handle/123456789/95341
_version_ 1826225709078544384
author Tams, Roope
author2 Faculty of Information Technology Informaatioteknologian tiedekunta University of Jyväskylä Jyväskylän yliopisto
author_facet Tams, Roope Faculty of Information Technology Informaatioteknologian tiedekunta University of Jyväskylä Jyväskylän yliopisto Tams, Roope Faculty of Information Technology Informaatioteknologian tiedekunta University of Jyväskylä Jyväskylän yliopisto
author_sort Tams, Roope
datasource_str_mv jyx
description Tässä pro gradu -tutkielmassa keskitytään siihen, kuinka mahdollistetaan tehokas kyberuhkien metsästys. Aihetta on tärkeää tutkia, sillä uhkien metsästys on varsin uusi aihe, eikä koko prosessista ole tehty juurikaan tutkimuksia. Monet aiemmista tutkimuksista ovat keskittyneet pääasiassa tutkimusalueisiin, kuten uhkamallinnukseen, uhkien havaitsemiseen ja kybertapahtumiin vastaamiseen, ja vain muutamia tutkimuksia on tehty kyberuhkien metsästys -viitekehyksistä. Tutkielma suoritettiin laadullisena kirjallisuuskatsauksena, jota seurasi viitekehyksen kehittäminen käyttäen Design Science Research Methodology -prosessia. Kirjallisuuskatsausta käytettiin perustana viitekehyksen kehittämiselle. Tämän jälkeen kehitettyä viitekehystä esiteltiin kolmelle kyberturvallisuuden ammattilaiselle arviointia varten. Arviointi suoritettiin semistrukturoiduilla haastatteluilla. Kehitetyssä viitekehyksessä on kolme erilaista aloituspistettä, riippuen siitä, mihin metsästys perustuu. Jos metsästys perustuu IoC:ihin, erillistä hypoteesia ei kehitetä, koska tutkinnan pitäisi olla kevyempi verrattuna tutkintaan, joka perustuu TTP:ihin tai haavoittuvuusraportteihin. Palautetta annetaan, jos metsästys hylätään, tai kun metsästys on suoritettu loppuun riippumatta siitä, löydettiinkö metsästyksen tuloksena jotakin. Haastattelujen perusteella tämän viitekehyksen käyttö mahdollistaa tehokkaan uhkien metsästyksen, erityisesti kun sitä käytetään jatkuvana prosessina. Tämä kehys mahdollistaa tiimien yhteistyön ja palautteen antamisen tavalla, jota on helppo ottaa käyttää SOC:n päivittäisissä toiminnoissa. This master’s thesis focuses on how to enable efficient threat hunting. Subject is important to research, because threat hunting is a new subject and not much studies have been made about the whole process. Many of the previous studies have focused primarily on research areas like threat modeling, threat detection and incident response, and there are only few studies made about threat hunt-ing frameworks. Thesis was done with qualitative literature review followed by developing the framework with Design Science Research Methodology pro-cess. Literature review was used as a base for the development of threat hunt-ing framework. Then the developed framework was presented for three cyber security professionals for review. Reviewing was done with semi-structured interviews. The threat hunting framework developed has three different start-ing points, based what the hunt is based on. If the hunting is based on the IoCs, separate hypothesis will not be developed, as the search should be lighter compared to a search which is based on TTPs or vulnerability reports. Feed-back will be given if the hunt is being rejected, or when the hunt has been com-pleted no matter if something was found as a result of the hunt. Based on the interviews, using this framework allows efficiency in threat hunting, especially when it is being used as a conctinuos process. This framework allows teams to collaborate and give feedback in a way that is easy to use as a part of daily activities in SOC.
first_indexed 2024-05-30T20:00:58Z
format Pro gradu
fullrecord [{"key": "dc.contributor.advisor", "value": "Lehto, Martti", "language": null, "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Tams, Roope", "language": null, "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2024-05-30T05:19:29Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2024-05-30T05:19:29Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2024", "language": null, "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/95341", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "T\u00e4ss\u00e4 pro gradu -tutkielmassa keskityt\u00e4\u00e4n siihen, kuinka mahdollistetaan tehokas kyberuhkien mets\u00e4stys. Aihetta on t\u00e4rke\u00e4\u00e4 tutkia, sill\u00e4 uhkien mets\u00e4stys on varsin uusi aihe, eik\u00e4 koko prosessista ole tehty juurikaan tutkimuksia. Monet aiemmista tutkimuksista ovat keskittyneet p\u00e4\u00e4asiassa tutkimusalueisiin, kuten uhkamallinnukseen, uhkien havaitsemiseen ja kybertapahtumiin vastaamiseen, ja vain muutamia tutkimuksia on tehty kyberuhkien mets\u00e4stys -viitekehyksist\u00e4. Tutkielma suoritettiin laadullisena kirjallisuuskatsauksena, jota seurasi viitekehyksen kehitt\u00e4minen k\u00e4ytt\u00e4en Design Science Research Methodology -prosessia. Kirjallisuuskatsausta k\u00e4ytettiin perustana viitekehyksen kehitt\u00e4miselle. T\u00e4m\u00e4n j\u00e4lkeen kehitetty\u00e4 viitekehyst\u00e4 esiteltiin kolmelle kyberturvallisuuden ammattilaiselle arviointia varten. Arviointi suoritettiin semistrukturoiduilla haastatteluilla. Kehitetyss\u00e4 viitekehyksess\u00e4 on kolme erilaista aloituspistett\u00e4, riippuen siit\u00e4, mihin mets\u00e4stys perustuu. Jos mets\u00e4stys perustuu IoC:ihin, erillist\u00e4 hypoteesia ei kehitet\u00e4, koska tutkinnan pit\u00e4isi olla kevyempi verrattuna tutkintaan, joka perustuu TTP:ihin tai haavoittuvuusraportteihin. Palautetta annetaan, jos mets\u00e4stys hyl\u00e4t\u00e4\u00e4n, tai kun mets\u00e4stys on suoritettu loppuun riippumatta siit\u00e4, l\u00f6ydettiink\u00f6 mets\u00e4styksen tuloksena jotakin. Haastattelujen perusteella t\u00e4m\u00e4n viitekehyksen k\u00e4ytt\u00f6 mahdollistaa tehokkaan uhkien mets\u00e4styksen, erityisesti kun sit\u00e4 k\u00e4ytet\u00e4\u00e4n jatkuvana prosessina. T\u00e4m\u00e4 kehys mahdollistaa tiimien yhteisty\u00f6n ja palautteen antamisen tavalla, jota on helppo ottaa k\u00e4ytt\u00e4\u00e4 SOC:n p\u00e4ivitt\u00e4isiss\u00e4 toiminnoissa.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "This master\u2019s thesis focuses on how to enable efficient threat hunting. Subject is important to research, because threat hunting is a new subject and not much studies have been made about the whole process. Many of the previous studies have focused primarily on research areas like threat modeling, threat detection and incident response, and there are only few studies made about threat hunt-ing frameworks. Thesis was done with qualitative literature review followed by developing the framework with Design Science Research Methodology pro-cess. Literature review was used as a base for the development of threat hunt-ing framework. Then the developed framework was presented for three cyber security professionals for review. Reviewing was done with semi-structured interviews. The threat hunting framework developed has three different start-ing points, based what the hunt is based on. If the hunting is based on the IoCs, separate hypothesis will not be developed, as the search should be lighter compared to a search which is based on TTPs or vulnerability reports. Feed-back will be given if the hunt is being rejected, or when the hunt has been com-pleted no matter if something was found as a result of the hunt. Based on the interviews, using this framework allows efficiency in threat hunting, especially when it is being used as a conctinuos process. This framework allows teams to collaborate and give feedback in a way that is easy to use as a part of daily activities in SOC.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by jyx lomake-julkaisija (jyx-julkaisija.group@korppi.jyu.fi) on 2024-05-30T05:19:29Z\r\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2024-05-30T05:19:29Z (GMT). No. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "53", "language": null, "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.title", "value": "How to enable efficient threat hunting", "language": null, "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202405304104", "language": null, "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Kyberturvallisuus", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Cyber Security", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "restrictedAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "Tekij\u00e4 ei ole antanut lupaa avoimeen julkaisuun, joten aineisto on luettavissa vain Jyv\u00e4skyl\u00e4n yliopiston kirjaston arkistoty\u00f6semalta. Ks. https://kirjasto.jyu.fi/fi/tyoskentelytilat/laitteet-ja-tilat#autotoc-item-autotoc-2.", "language": "fi", "element": "rights", "qualifier": "accessrights", "schema": "dc"}, {"key": "dc.rights.accessrights", "value": "The author has not given permission to make the work publicly available electronically. Therefore the material can be read only at the archival workstation at Jyv\u00e4skyl\u00e4 University Library (https://kirjasto.jyu.fi/en/workspaces/facilities/facilities#autotoc-item-autotoc-2).", "language": "en", "element": "rights", "qualifier": "accessrights", "schema": "dc"}]
id jyx.123456789_95341
language eng
last_indexed 2025-02-18T10:54:50Z
main_date 2024-01-01T00:00:00Z
main_date_str 2024
publishDate 2024
record_format qdc
source_str_mv jyx
spellingShingle Tams, Roope How to enable efficient threat hunting Kyberturvallisuus Cyber Security
title How to enable efficient threat hunting
title_full How to enable efficient threat hunting
title_fullStr How to enable efficient threat hunting How to enable efficient threat hunting
title_full_unstemmed How to enable efficient threat hunting How to enable efficient threat hunting
title_short How to enable efficient threat hunting
title_sort how to enable efficient threat hunting
title_txtP How to enable efficient threat hunting
topic Kyberturvallisuus Cyber Security
topic_facet Cyber Security Kyberturvallisuus
url https://jyx.jyu.fi/handle/123456789/95341 http://www.urn.fi/URN:NBN:fi:jyu-202405304104
work_keys_str_mv AT tamsroope howtoenableefficientthreathunting