Threat Hunting Methodologies

Introduction

Threat hunting is a proactive and iterative approach to detecting threats. It falls under the active defense category of cybersecurity since it is carried out by a human analyst, despite heavily relying on automation and machine assistance. The analyst’s main task is to determine the initial threat to hunt and how that type of malicious activity will be found within the environment. We refer to this challenge as the hypothesis. In this article, we will discuss the different hunting hypotheses and how they can be effectively combined to allow for an effective hunt.

What are the most popular threat-hunting methodologies and hypotheses?

Threat hunters develop hypotheses by carrying out careful observations. These could be as simple as noticing a particular event “just doesn’t seem right,” or something more complicated such as a supposition about ongoing threat-actor activity within the environment. This will be based on a combination of external threat intelligence and past experiences with the actor.

Threat hunters will experience success through platforms that enable them to generate hypotheses while simultaneously reducing any barriers that may hinder testing of the hypotheses. That may be done by, for example, providing ready access to the data and tools needed to perform the tests.

We shall explore the most popular hypotheses and outline how and when to formulate them. They include:

Intelligence-Driven Hypotheses

The understanding of adversary tactics, techniques and procedures (TTPs) through the use of indicators of compromise (IOCs) has led to the concept of intelligence-driven defense. Hunters make use of this intelligence as a basis for the questions that lead them to the formulation of the hypothesis.

For example, consider an adversary that conducts phishing campaigns. If the source of the infrastructure used for the attack is determined to be in Canada, then this may be documented in the (Read more...)