Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Scope for the hunt
  • Systems
  • Data sources
  • Hypothesis development
  • Analytical question examples
  1. Cyber threat hunting process

Scoping and hypothesis development

Scope and hypothesis development: Where is the hunt and what answers are you seeking?

  • What are the facilities/network/systems involved?

  • What data is needed for the hunt?

  • Hypothesis development based on threat hunting sources

    • Determine what's driving the hypothesis

    • Identify specific questions to be answered

    • Expected outcomes

    • Ensure scope still aligns with the purpose

Scope for the hunt

A hunter needs to understand the facilities, networks and systems that should be part of the hunt

  • Data is the crucial element needed for the hunt as collecting relevant data is critical to the success of a hunt

  • Tools used by hunter is another important aspect of scoping the hunt

Systems

This is the phase where hunters narrow the field by:

  • Identification of systems applicable to the threat hunt

Here are a few examples:

  • A critical application in your environment

  • An important infrastructure element

  • A central facility

Data sources

Identify data sources relevant to the hunt:

  • Network data

  • Host data

Ensure the scope of the hunt is not too narrow, as you could miss relevant data needed

Don't make the scope too broad, as it could complicate the hunt

Make sure that the scope still supports the purpose

Hypothesis development

Hypotheses are generated to direct threat-hunting efforts

Serves as guidance to maintain the focus of the hunt and defines the direction of the hunt

Identify the types of hypotheses to be developed:

  • Intelligence-drive

  • Domain knowledge-drive

  • Situational awareness-driven

Define the specific analytic questions to answer, based on the type of hypothesis:

  • Threat intelligence-driven hypotheses use specific attacker TTPs to create questions to answer

  • These type of hypotheses require threat intelligence with high fidelity

  • The intelligence should also provide information on the indicators to search, based on attacker TTPs

Analytical question examples

Below are some sample questions that may be used to formulate a hypotheses:

  • Are any systems under scope currently under the control of an attacker?

  • Have any privileged accounts been compromised?

  • Do we see any indicators of a specific malware used by the attacker?

PreviousIntroductionNextFormulate

Last updated 8 months ago