top of page
  • Writer: Tony Stiles
    Tony Stiles
  • Jun 19, 2024
  • 4 min read

Summarize the Techniques Used In Security Assessments


Threat Hunting

Threat hunting is a proactive approach to cybersecurity that involves searching for and identifying potential threats or malicious activities within an organization's networks, systems, and applications. This involves analyzing data from various sources such as logs, network traffic, and system behavior to identify anomalies and potential indicators of compromise.


The goal of threat hunting is to detect and stop threats before they can cause damage or steal sensitive information. It requires a combination of technical skills, knowledge of threat actors and attack methods, and the ability to think like an attacker to anticipate and identify potential attack vectors.


  1. Intelligence fusion: Intelligence fusion refers to the process of integrating and analyzing data from various sources, such as open-source intelligence, closed intelligence, and internal organizational data, to generate actionable intelligence.

  2. Threat feeds: Threat feeds are a collection of information related to emerging or existing threats, such as IP addresses, domain names, malware signatures, and other indicators of compromise. Threat feeds are used to detect, prevent, and respond to cyber attacks.

  3. Advisories and bulletins: Advisories and bulletins are notifications that provide information about vulnerabilities, exploits, malware, or other security-related issues. These advisories and bulletins are typically issued by software vendors, security researchers, and government agencies.

  4. Maneuver: Maneuver refers to the process of pivoting from one indicator of compromise or piece of intelligence to another in order to uncover additional information about a potential threat. This can involve digging deeper into a particular host or network, searching for additional IOCs, or analyzing metadata and logs to identify patterns or anomalies.


Vulnerability Scans

Vulnerability scans are a method of identifying security vulnerabilities in a system or network by using automated tools. Vulnerability scans are typically performed using specialized software that systematically searches for known vulnerabilities in system components, such as operating systems, applications, and network devices. The software typically uses a database of known vulnerabilities and configuration issues to check if the system or network has any vulnerabilities that can be exploited by attackers.


The purpose of vulnerability scanning is to identify and document potential security weaknesses before they can be exploited by attackers. By regularly scanning systems and networks, organizations can proactively identify and address vulnerabilities before they can be exploited by attackers. This can help to prevent data breaches, system downtime, and other security incidents.


Some concepts associated are:

  • False positives: Refers to the identification of an issue or vulnerability by a scan tool that doesn't actually exist or isn't exploitable. False positives can waste time and resources by diverting attention away from legitimate vulnerabilities.

  • False negatives: Refers to the failure of a scan tool to identify a vulnerability that actually exists. False negatives can lead to a false sense of security and leave an organization vulnerable to attack.

  • Log reviews: Refers to the examination of system logs to identify patterns of suspicious activity or potential security incidents. Log reviews are an important part of detecting and responding to security incidents.

  • Credentialed vs. non-credentialed: Refers to the method by which a vulnerability scan is conducted. Credentialed scans are performed with administrative credentials, allowing the scanner to access and analyze more detailed information about the system being scanned. Non-credentialed scans are performed without administrative credentials and can only analyze publicly available information.

  • Intrusive vs. non-intrusive: Refers to the level of access granted to the scan tool during the scan. Intrusive scans attempt to exploit vulnerabilities to determine their exploitability and impact, while non-intrusive scans only look for vulnerabilities without attempting to exploit them.

  • Application: Refers to the process of scanning applications for vulnerabilities. Application scans can identify issues such as SQL injection, cross-site scripting, and buffer overflow vulnerabilities.

  • Web application: Refers specifically to the process of scanning web applications for vulnerabilities. Web application scans are similar to application scans but focus specifically on web-based vulnerabilities.

  • Network: Refers to the process of scanning a network for vulnerabilities. Network scans can identify issues such as open ports, outdated software, and misconfigured devices.

  • Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS): CVEs are standardized identifiers for publicly known security vulnerabilities, while CVSS is a system for rating the severity of vulnerabilities based on a set of standardized metrics.

  • Configuration review: Refers to the examination of system configurations to identify potential vulnerabilities. Configuration reviews can identify issues such as weak passwords, unnecessary services, and misconfigured firewalls.


Syslog/Security Information and Event Management (SIEM)

Syslog and Security Information and Event Management (SIEM) are both technologies used for collecting, storing, and analyzing logs and events generated by various systems, devices, and applications within an organization's network infrastructure.


Syslog is a standard protocol used for sending event messages across IP networks. It enables different network devices, such as routers, switches, firewalls, and servers, to send their system logs to a central location for storage and analysis. Syslog messages contain important information such as source IP address, timestamp, event type, and severity level.


SIEM, on the other hand, is a comprehensive security solution that integrates and correlates logs and events from multiple sources across the network to provide a holistic view of the security posture of an organization. It combines real-time monitoring, correlation, and analysis of security events to provide actionable insights to security analysts. SIEM tools use advanced analytics and machine learning techniques to detect and respond to security threats in real-time. They can provide a variety of capabilities, including reporting, packet capture, analysis of data inputs, user behavior analysis, sentiment analysis, security monitoring, log aggregation and log collection.


Security Orchestration, Automation, and Response (SOAR)

Security orchestration, automation, and response (SOAR) is a technology solution that helps organizations automate and coordinate their incident response processes. SOAR solutions integrate with various security tools to aggregate alerts and event data, apply pre-defined or customized playbooks for response and automate actions based on these playbooks.


SOAR platforms aim to increase the efficiency and effectiveness of security teams by reducing the amount of time spent on manual tasks and enabling quicker and more coordinated response to security incidents. They can also help improve consistency and accuracy in incident response processes, reduce response times, and provide better visibility into security operations.

bottom of page