Threat hunting models

Adopt a threat hunting model, like the following, that captures the various steps associated with threat hunting

1. Purpose - What is the reason for the hunt?

2. Scope - Where is the hunt and what answers are you seeking?

3. Formulate - Data sources and tools utilized

4. Execute - Carry out the hunt

5. Feedback - Lessons learned

Purpose

Reason for the hunt

• What are the organization's goals for the hunt?

• What is the hunting ground?

• What are the assumptions?

• What are the limitations?

• What is the desired outcome?

Scope and hypothesis development

Where is the hunt and what answers are you seeking?

• What are the facilities, networks and systems involved?

• What data is needed for the hunt?

• Hypothesis development based on threat hunting sources

• Determine what's driving the hypothesis

• Identify specific questions to be answered

• Expected outcomes

• Ensure scope still aligns with the purpose

Formulate

Data sources and tools

• Identify data sources needed for the hunt based on the hypothesis

• Determine analysis techniques needed to answer questions from the hypothesis

• Understand the tools required to gather and analyze data

Execute

Carry out the hunt

• Gather data identified in the formulate stage

• Utilize analysis techniques to prove or disprove hypotheses

• Employ additional tools, techniques and data sets as needed

• Capture results as you proceed with the hunt

Feedback

Lessons learned from the hunt

• This is the final step of the process that analyzes all steps of the hunt

• All parties involved in the hunt provide their feedback for the different stages

• Examples

  • Were the hypotheses well-defined?

  • Was the outcome achieved?

  • Were identified data sources relevant?

  • Were the techniques used appropriate for the hunt?

  • Were there any visibility gaps?