Execution
Gather data identified in the formulate stage
Utilize analysis techniques to prove or disprove hypotheses
Employ additional tools/techniques/data sets as needed
Capture results as you proceed with the hunt
Develop a threat hunt report that captures all essential details of the hunt along with any additional observations
Execute the hunt
After establishing a hypothesis:
The execute stage could consist of various iterations of data collection and analysis
Threat hunters collect the data identified in formulate stage
Apply analysis techniques from formulate stage
Leverage tools identified for data collection and analysis to confirm or refute the developed hypotheses
Example
Question
Was the admin account compromised?
Data source
Audit logs for the application in question
Analysis technique
"Identify any anomalies in the activities performed by the account (i.e. access to systems at strange times, excessive access/export of sensitive information and other unusual behavior)."
Data analysis
A hunter analyzes data to discover artifacts that match relevant indicators for the hunt:
Analysis can be done manually or by using data tools like a SIEM
While there is no substitute for manual analysis, automated analysis makes a threat hunter's life easier
Confirmed hypothesis
In the event a hypothesis is confirmed, follow these steps:
Examine indicators and associated timelines to determine if the attack is ongoing
Confirm the extent of the attack and how it affects the business
Follow the incident response plan, if one exists
If incident response plan doesn't exist, define a method of response (includes containing any active attacks, eradicating the threat from the environment and recovering affected systems)
Unconfirmed hypothesis
In the event a hypothesis cannot be confirmed, follow these steps:
Determine if additional data sources are required
Identify alternative analysis techniques if needed
Record all methods in which data analysis was performed
Report that the hypothesis could be confirmed
Last updated