Here is a fresh whitepaper\u00a0by Robert M. Lee and David Bianco on\u00a0proactive and iterative approach to detecting threats – threat hunting.<\/p>\n
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human\u2019s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt\u2019s hypothesis, but it is really just a statement about the hunter\u2019s testable ideas of what threats might be in the environment and how to go about finding them.<\/p>\n
There are two key components to generating hunting hypotheses. First, an analyst\u2019s ability to create hypotheses is derived from observations. An observation could be as simple as noticing a particular event that \u201cjust doesn\u2019t seem right\u201d or something more complicated, such as a supposition about ongoing threat actor activity in the environment based on a combination of past experience with the actor and external threat intelligence.<\/p>\n
The second concept to understand is that hypotheses must be testable. That is, they must be something you have at least a chance of finding in the data to which you have access. Good hunts depend on the hunter\u2019s ability to know what data and technologies are required to test the hypotheses. To fully test hypotheses also requires the right analysis tools and techniques that can simultaneously take advantage of information from the environment as well as about likely adversaries. A good threat-hunting platform supports analysts in generating hypotheses and reduces barriers to testing those hypotheses by providing ready access to the data and tools needed to perform the tests.<\/p>\n
There are three typical types of hypotheses, although any given hypothesis may combine elements from different types. Hypotheses may be derived from these sources:<\/p>\n
\u2022 Friendly or threat intelligence<\/p>\n
\u2022 Situational awareness<\/p>\n
\u2022 Domain expertise<\/p>\n
This guide explores these three types of hypotheses and outlines how and when to formulate them.<\/p>\n