Scoping and hypothesis development

What are the facilities/network/systems involved?
What data is needed for the hunt?
Hypothesis development based on threat hunting sources
- Determine what's driving the hypothesis
- Identify specific questions to be answered
- Expected outcomes
- Ensure scope still aligns with the purpose

Scope for the hunt

A hunter needs to understand the facilities, networks and systems that should be part of the hunt

Data is the crucial element needed for the hunt as collecting relevant data is critical to the success of a hunt
Tools used by hunter is another important aspect of scoping the hunt

This is the phase where hunters narrow the field by:

Here are a few examples:

Identify data sources relevant to the hunt:

Ensure the scope of the hunt is not too narrow, as you could miss relevant data needed

Don't make the scope too broad, as it could complicate the hunt

Make sure that the scope still supports the purpose

Hypotheses are generated to direct threat-hunting efforts

Serves as guidance to maintain the focus of the hunt and defines the direction of the hunt

Identify the types of hypotheses to be developed:

Define the specific analytic questions to answer, based on the type of hypothesis:

Threat intelligence-driven hypotheses use specific attacker TTPs to create questions to answer
These type of hypotheses require threat intelligence with high fidelity
The intelligence should also provide information on the indicators to search, based on attacker TTPs

Below are some sample questions that may be used to formulate a hypotheses:

Last updated 4 months ago