$3.$ Explain the difference between reactive and proactive threat detection.

How do reactive threat detection and proactive threat detection differ? Analytics engines apply reactive threats in the SIEM, intrusion detection system $($IDS$),$ or endpoint sensors $-$ tools you will learn about later in this module. Proactive detections are made by threat hunters searching through the data based on threat intelligence information and internally generated intelligence.

According to a $2020$ Threat Hunt survey conducted by the SANS Institute, $70\%$ of organizations report that they currently perform proactive threat hunting. However, these respondents noted that their proactive detections are relatively immature, with the biggest obstacles cited as a lack of skilled staff, budget constraints, and a lack of defined

processes.

In this Try$-$It Activity, you will first research a prevalent detected malware sample by digging into reports from a malware sandbox that detail its static and behavioral characteristics. Then, if endpoint monitoring capabilities discover this malicious code present or running on a system in your environment, the security operations team and incident responders would be called to take reactive actions in accordance with playbooks specific to the threat.

In the second part of this Try$-$It Activity, you will model proactive detection techniques similar to the actions of a threat hunter. Given a specific threat group, you will identify the tactics, techniques, and procedures unique to that actor. Based on your findings, you will formulate hunt hypotheses on how you may detect malicious activity attributed to this actor.

Part $1$

Access the MalwareBazaar Database E

Explore the page and identify the following:

Note: Ensure you follow best practices when navigating this website. Identifying the information doesn't require clicking on any additional links.

$$ File type:

$$ Filename:

MD$5$ Hash:

First seen data and time:

Names of the YARA Rules that detected this sample:

Part $2$

The DeathStalker threat group, tracked by Kaspersky since $2018,$ is known to target law firms and financial institutions. However, this threat actor does not appear to be motivated by financial gain. It deviates from the typical tactics used by cybercriminal gangs, such as ransomware, financial transactional data theft, or customer account compromise. Instead, Kaspersky researchers deduce that this actor is a group of hackers$-$for$-$hire, picking up operations based on the needs of their customers.

Read the Kaspersky reference below regarding the Powersing toolset, the DeathStalker threat group. Then, identify the tactics, techniques, and procedures unique to that actor and formulate hunt hypotheses for detecting this malicious

actor.

Resources

Lifting the Veil on DeathStalker, a Mercenary Triumvirate by Ivan Kwiatkowski, Pierre Delcher, and Maher Yamout Hunt Evil: Your Practical Guide to Threat Hunting B