Exam CS0-002 topic 1 question 107 discussion

Before a threat hunting program can be developed, it is essential to have a complete understanding of the organization's assets, including the types of assets, where they are located, and their value to the organization. Without this understanding, it is difficult to know what to hunt for, where to look, and what data sources to use.

D. Remember we are talking about "developing the program". Understanding the categories of assets, such as financial, intellectual property, or customer data, helps to prioritize the focus of the threat hunting program and allocate resources effectively. The others are skills that are refined as part of the overall program.

Threat hunting is a proactive process of identifying and neutralizing threats that have already infiltrated an organization's systems. In order to effectively hunt for threats, it is essential to have a comprehensive understanding of the organization's assets and the categories of assets that are present within the network. This includes understanding the types of systems, data, and information that are most valuable to the organization, as well as the different attack scenarios that could be used to target these assets. By having a thorough understanding of the organization's assets, the threat hunting team can more effectively prioritize their efforts, focus on the most critical assets, and develop strategies to protect them from potential threats. Additionally, this understanding can inform the development of correlation rules within a SIEM and help the team to better understand the types of security software technologies that are best suited for their needs.

D is the correct answer. You need to know what the threat is trying to access and how they may go about it to profile them properly. Just like a bank robber, you're not going to search for them in the park. You can have the greatest detectives in the word with the best equipment but if you're looking in the wrong place what good does it do? Why would they be in the park? Is that were the money is kept? Under stand what they want and where they will look, then you can work on building the proper security measures tailored to your specific hunt. Plus you are developing a program here not actively hunting a threat yet.

It should be B - correlating logs in SIEM. You're threat hunting, aka looking for threats within logs to catch what was missed by tools.

Anser C 100% When creating a threat hunting program it is important to start by developing standardized processes to guide threat hunting efforts. Security teams should outline when and how hunting takes place (whether at scheduled intervals, in response to specific triggering actions, or continuously with the help of automated tools), what techniques are to be used, and which people and TOOLS will be responsible for performing specific threat hunting tasks.

Threat hunters need to have a good understanding of the company's profile, employee behavior, company valuable data, as well as business activities that could be of interest to attackers so they can baseline what is “normal”

Purpose of a threat is aiming to archive access to systems that hosts data or main goal. Systems = Assets. That's all!

When threat hunting the goal is to seek out anything malicious. I suppose when you are developing a threat hunting program, knowing everything you can about the assets is great but is that going to do you any good for finding threats? If one were to learn about every single component and mechanic of a refrigerator, what good is that going to do someone when a thief is stealing your yogurt while you're sleeping? I think understanding the security software that you would use to seek out threats is more important.

Threat hunters need to have a good understanding of the company's profile, employee behavior, company valuable data, as well as business activities that could be of interest to attackers so they can baseline what is “normal”.

Answer D It is important first to prioritize the assets I'm going to protect . Whether they are tangible or intangible. This answer encompasses the other options

confused

When creating a threat hunting program it is important to start by developing standardized processes to guide threat hunting efforts. Security teams should outline when and how hunting takes place (whether at scheduled intervals, in response to specific triggering actions, or continuously with the help of automated tools), what techniques are to be used, and which people and TOOLS will be responsible for performing specific threat hunting tasks. I choose C for that word "TOOLS".

Why wouldn't it be D? I've read many articles on this and most talking about knowing the risks within the environment and knowing what the key assets/information is needed for threat hunting. Once this information is determined a hypothesis on the type/kind of threat actor/hacker can be better determined imo. This to me sounds like D would be the answer.

its talking about the program , not the threat hunter him self , you need to know what is in the environment to build hypothesis and scenarios , going with D

My gut says A, but research says C. All the sites I've come across say it's vital for threat hunters to fully understand security tools to be an effective threat hunter. While understanding pentesting would be beneficial, the execution of threat hunting is different. I'll go with C. https://www.stickmancyber.com/cybersecurity-blog/7-threat-hunting-misconceptions https://www.simplilearn.com/skills-to-become-threat-hunter-article

avid124 is right