Generating Hypotheses for Successful Threat Hunting
Here is a fresh whitepaper by Robert M. Lee and David Bianco on proactive and iterative approach to detecting threats – threat hunting.
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
There are two key components to generating hunting hypotheses. First, an analyst’s ability to create hypotheses is derived from observations. An observation could be as simple as noticing a particular event that “just doesn’t seem right” or something more complicated, such as a supposition about ongoing threat actor activity in the environment based on a combination of past experience with the actor and external threat intelligence.
The second concept to understand is that hypotheses must be testable. That is, they must be something you have at least a chance of finding in the data to which you have access. Good hunts depend on the hunter’s ability to know what data and technologies are required to test the hypotheses. To fully test hypotheses also requires the right analysis tools and techniques that can simultaneously take advantage of information from the environment as well as about likely adversaries. A good threat-hunting platform supports analysts in generating hypotheses and reduces barriers to testing those hypotheses by providing ready access to the data and tools needed to perform the tests.
There are three typical types of hypotheses, although any given hypothesis may combine elements from different types. Hypotheses may be derived from these sources:
• Friendly or threat intelligence
• Situational awareness
• Domain expertise
This guide explores these three types of hypotheses and outlines how and when to formulate them.
Use this link to read full whitepaper.