Based on the Mitre MAD Threat Hunting Methodology:
- Characterization
- Develop and Update Malicious Activity Model
- Develop Hypotheses and Abstract Analytics
- Determine Data Requirements
- Execution
- Identify and Mitigate Data Collection Gaps
- Implement and Test Analytics
- Hunt / Detect Malicious Activity and Investigate
Oh damn it! I just want to detect evil stuff!
This process hurts like other…
Yeah – I feel you but trust me, there are some benefits. As many times developing a Hunting- or Detection-Rule you’ll probably come across the question, that you have tuned your rule to a specific perspective or situation.
Here you are running into some bias – real world may look different then you are expecting. What if you don’t have the needed data points or lack of visibility points in network? While developing your analytic (aka. rule) did you think about potential evasions?
After applying this process in details, you should have a good knowledge about the key facts regarding the underlying bad behavior.
It should be mentioned that this process aims for some bigger target – the objective is to hunt for TTPs and not only searching for known IOCs. So please – think big. 😉
Developing a hypothesis
Definition of Hypothesis:
A supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation
A hypothesis:
- Describes a suspected reason for why something is happening
- Must be specific, evidence-driven, and falsifiable
- Example NOT falsifiable: A malicious actor will use extreme stealth to operate that will be indistinguishable from benign usage.
In Threat Hunting:
- Encourages clear thinking about what to hunt for and why.
- Provides focus for research, analysis, and data collection.
- Establishes scientific foundation for making claims during the hunt