Introduction

As discussed earlier, adopt a threat hunting model like the following that captures the various steps associated with threat hunting as there is no industry standard model

  1. Purpose - What is the reason for the hunt?

  2. Scope - Where is the hunt and what answers are you seeking?

  3. Formulate - Data sources and tools utilized

  4. Execute - Carry out the hunt

  5. Feedback - Lessons learned from hunt

Purpose: Reason for the hunt

  • What are the organization's goals for the hunt?

  • What is the hunting ground?

  • What are the assumptions?

  • What are the limitations?

  • What is the desired outcome?

Organizational goals

This section identifies the business need for a threat hunt

Here are some possible scenarios:

  • You may have new threat intelligence suggesting sensitive data is exposed

  • Organization desires to gain higher confidence of the environment for specific attack techniques

  • There is internal knowledge of a known gap and would like to know if there is any exploitation of that gap

Hunting ground

The goal of this is not to scope out the hunt itself but provide high-level guidance

Identifying the area of interest for the hunt based on organization goals:

  • If identifying the cause of data exposure is the goal, the systems that house relevant data would become the hunting ground

  • If impact from specific attack techniques is the goal, then systems relevant to those techniques would be of interest

  • If identifying exposure to a known gap is the goal, the relevant systems/data would be of interest

Assumptions & limitations

Any assumptions associated with the hunt should be identified:

  • One assumption could be the time window to narrow down the scope of your hunt

  • Data is available for the hunt being considered

Any limitations for the hunt should be acknowledged:

  • Data is only available for a certain duration

  • Resource availability and knowledge of the environment

Desired outcome

A threat hunter needs to identify the result of a hunt

Here a few examples:

  • Discovery of exposed data

  • Discovery of an attacker in the environment

  • Evidence of exploitation of a known gap

  • You are susceptible to specific attack techniques

PreviousTicketing/SOARNextScoping and hypothesis development

Last updated