Threat Hunting on the Edge

Intermediate

Familiarity with network protocols (TCP/IP, DNS, HTTP/S, TLS), basic Linux command line, and general security monitoring concepts.

• Learn about edge devices and DMZ systems that are disproportionately targeted by adversaries and how Internet-facing exposure creates unique security monitoring challenges at the network perimeter.

• How visibility gaps at the ISP hand-off and asymmetric routing paths undermine hunt effectiveness, and how proper TAP/SPAN placement and coverage validation address those gaps.

• How to architect sensor deployments at the perimeter, including smart collection strategies, protocol decoding, and tiered retention policies.

• Leverage network flow data (NetFlow/IPFIX) to detect beaconing, long-duration C2 sessions, and data exfiltration anomalies when full packet retention is not feasible.

• Apply deep-packet inspection techniques to uncover malicious use of legitimate protocols, including DNS tunneling, HTTP/S-based C2, and ICMP covert channels.

• Maintain hunting visibility across encrypted sessions using certificate analysis, JA3/JA3S fingerprinting, SNI inspection, and encrypted traffic profiling techniques.

• How adversaries exploit, persist on, and abuse perimeter devices such as VPN appliances, firewalls, and proxies, and how to incorporate device-native telemetry into hunt operations.

• Establish traffic baselines across volume, protocols, geo-distribution, and connected ASNs as a foundation for anomaly-based perimeter hunting.

• Develop intelligence-driven hunt hypotheses to ensure operations are targeted, structured, and repeatable.

• Convert successful hunt findings into detection engineering outputs (including signatures, analytics, and alerts) to operationalize hunt results and prevent recurrence.

• Document and communicate hunt findings through structured hunt reports that drive organizational awareness and measurable improvements to the detection stack.