Execution

Gather data identified in the formulate stage
Utilize analysis techniques to prove or disprove hypotheses
Employ additional tools/techniques/data sets as needed
Capture results as you proceed with the hunt
Develop a threat hunt report that captures all essential details of the hunt along with any additional observations

Execute the hunt

After establishing a hypothesis:

The execute stage could consist of various iterations of data collection and analysis
Threat hunters collect the data identified in formulate stage
Apply analysis techniques from formulate stage
Leverage tools identified for data collection and analysis to confirm or refute the developed hypotheses

Example

Question

Was the admin account compromised?

Data source

Audit logs for the application in question

Analysis technique

"Identify any anomalies in the activities performed by the account (i.e. access to systems at strange times, excessive access/export of sensitive information and other unusual behavior)."

Data analysis

A hunter analyzes data to discover artifacts that match relevant indicators for the hunt:

Analysis can be done manually or by using data tools like a SIEM
While there is no substitute for manual analysis, automated analysis makes a threat hunter's life easier

Confirmed hypothesis

In the event a hypothesis is confirmed, follow these steps:

Examine indicators and associated timelines to determine if the attack is ongoing
Confirm the extent of the attack and how it affects the business
Follow the incident response plan, if one exists
If incident response plan doesn't exist, define a method of response (includes containing any active attacks, eradicating the threat from the environment and recovering affected systems)

Unconfirmed hypothesis

In the event a hypothesis cannot be confirmed, follow these steps:

Determine if additional data sources are required
Identify alternative analysis techniques if needed
Record all methods in which data analysis was performed
Report that the hypothesis could be confirmed

PreviousFormulate NextCyber threat hunting: Lessons learned

Last updated 8 months ago

Execute the hunt

After establishing a hypothesis:

The execute stage could consist of various iterations of data collection and analysis

Threat hunters collect the data identified in formulate stage

Apply analysis techniques from formulate stage

Leverage tools identified for data collection and analysis to confirm or refute the developed hypotheses

Example

Question

Was the admin account compromised?

Data source

Audit logs for the application in question

Analysis technique

"Identify any anomalies in the activities performed by the account (i.e. access to systems at strange times, excessive access/export of sensitive information and other unusual behavior)."

Confirmed hypothesis

In the event a hypothesis is confirmed, follow these steps:

Examine indicators and associated timelines to determine if the attack is ongoing

Confirm the extent of the attack and how it affects the business

Follow the incident response plan, if one exists

If incident response plan doesn't exist, define a method of response (includes containing any active attacks, eradicating the threat from the environment and recovering affected systems)