Introduction

As discussed earlier, adopt a threat hunting model like the following that captures the various steps associated with threat hunting as there is no industry standard model

Purpose - What is the reason for the hunt?
Scope - Where is the hunt and what answers are you seeking?
Formulate - Data sources and tools utilized
Execute - Carry out the hunt
Feedback - Lessons learned from hunt

Purpose: Reason for the hunt

What are the organization's goals for the hunt?
What is the hunting ground?
What are the assumptions?
What are the limitations?
What is the desired outcome?

Organizational goals

This section identifies the business need for a threat hunt

Here are some possible scenarios:

You may have new threat intelligence suggesting sensitive data is exposed
Organization desires to gain higher confidence of the environment for specific attack techniques
There is internal knowledge of a known gap and would like to know if there is any exploitation of that gap

Hunting ground

The goal of this is not to scope out the hunt itself but provide high-level guidance

Identifying the area of interest for the hunt based on organization goals:

If identifying the cause of data exposure is the goal, the systems that house relevant data would become the hunting ground
If impact from specific attack techniques is the goal, then systems relevant to those techniques would be of interest
If identifying exposure to a known gap is the goal, the relevant systems/data would be of interest

Assumptions & limitations

Any assumptions associated with the hunt should be identified:

One assumption could be the time window to narrow down the scope of your hunt
Data is available for the hunt being considered

Any limitations for the hunt should be acknowledged:

Data is only available for a certain duration
Resource availability and knowledge of the environment

Desired outcome

A threat hunter needs to identify the result of a hunt

Here a few examples:

Discovery of exposed data
Discovery of an attacker in the environment
Evidence of exploitation of a known gap
You are susceptible to specific attack techniques

PreviousTicketing/SOAR NextScoping and hypothesis development

Last updated 8 months ago

Organizational goals

This section identifies the business need for a threat hunt

Here are some possible scenarios:

You may have new threat intelligence suggesting sensitive data is exposed

Organization desires to gain higher confidence of the environment for specific attack techniques

There is internal knowledge of a known gap and would like to know if there is any exploitation of that gap

Hunting ground

The goal of this is not to scope out the hunt itself but provide high-level guidance

Identifying the area of interest for the hunt based on organization goals:

If identifying the cause of data exposure is the goal, the systems that house relevant data would become the hunting ground

If impact from specific attack techniques is the goal, then systems relevant to those techniques would be of interest

If identifying exposure to a known gap is the goal, the relevant systems/data would be of interest

Assumptions & limitations

Any assumptions associated with the hunt should be identified:

One assumption could be the time window to narrow down the scope of your hunt

Data is available for the hunt being considered

Any limitations for the hunt should be acknowledged:

Data is only available for a certain duration

Resource availability and knowledge of the environment