The Anatomy of a Threat Hunting Hypothesis
By now we all know that a hypothesis is a cornerstone of any threat hunt. It gives hunters their primary directive, informing every decision of discovery and analysis. Threat hunting often operates in uncharted territory and a hypothesis is a compass that makes people just comfortable enough to take another step forward. However, writing a strong hypothesis can still be difficult for many hunters. This article will cover the best practices for creating a hypothesis and how you can set yourself up for success in any threat hunt.
Hypothesis Diagraming
When writing a hypothesis, you want to find the balance between too specific and too broad.
Too specific hypotheses limit a threat hunter into a box which results in missing important indications of malicious activity. For example, hunting for specific domains or IP addresses can create a false sense of security that a threat doesn’t impact the organization based on a lack of matches in the logs.
Too broad hypotheses can induce analysis paralysis in a threat hunter and cause a hunt to run in perpetuity without ever finding anything malicious. For example, hunting for evidence of an APT on a network. In this case, targeting the tactics, techniques, and procedures used by APT28 would be a better strategy.
Threat hunters can strengthen their hypotheses by hypothesis diagramming. Taking us back to our early days in grammar class, hypothesis diagramming borrows directly from sentence diagramming. This process allows us to visualize the structure of our hunting hypothesis in a way that is not content-specific. Doing this creates something similar to bowling lane bumpers for our threat hunt.
A good hypothesis has the following elements:
Technique
Target
Actions on Objectives (Payload)
An example of this in action looks like the following:
Technique
The technique referenced in a hypothesis determines the actual malicious behavior that is being hunted. Traditionally this has been the only driving force of a threat hunt. While it is important, the context surrounding malicious behavior also is incredibly relevant.
Target
Defining the target of a supposed attack ensures that a threat hunt looks at the right data sets. If your target is Windows desktops, you can automatically rule out logs from Windows servers, Linux hosts, or mobile devices.
The target can also define the severity of potential findings. Findings from an executive’s asset may require more immediate remediation versus findings from an internal development server.
Actions on Objectives
This is the ultimate “why” for malicious activity. It could be to deploy a payload, it could be to exfiltrate data, or it could be to get an immediate payday. When pulling data to validate, the actions on objectives help narrow down what is classified as a true positive finding.
Actions on Objectives are generally what management cares about identifying and tracking as well. The type of risk and potential impact of an attack determine the type and level of investment that needs to be made over time.
What about Threat Actors?
Some threat hunting organizations also like to define a specific threat actor in a hypothesis. This is a completely optional element but can be very useful for more mature organizations. For some businesses, a specific threat actor may be needed to spur management into financial or program support.
While there is nothing wrong with defining a threat actor in your hypothesis, I would encourage focusing on techniques that are more broadly applicable.
More Examples:
Relevancy
Another part of creating a strong threat hunt is making sure the hypothesis is relevant to your organization and its priorities. Relevancy is an impact multiplier for threat hunts.
Is hunting for point of sale malware that only targets grocery stores in North Korea cool? Absolutely!
Is it relevant to your US based insurance business? Probably not.
In order to determine relevancy for your hunt, here are a few key components to consider as you propose a new threat hunt.
Industry
Creating hypotheses based on industry is a natural starting place for many hunters. It eliminates a lot of possible threats that may not be relevant. When considering an industry hunt, look at your high level industry and more specific industry designation within that.
For example, if a company is an insurance company, the high-level industry is finance and the more specific industry is insurance. The threats facing the finance industry may be relevant to your organization and you know the insurance threats are also very likely to be relevant.
When considering industry, it is also important to take into consideration the profile of the clients you serve and the vendors you employ. With supply chain attacks on the rise, you should consider hunts that represent these threats accurately. If you are in the defense industry, threats that may impact the government (client) may be as relevant as threats that impact your industry.
Geolocation
Geolocation is another high impact relevancy factor that is easy to consider and implement. In early 2022, we saw a significant rise in ransomware coming out of Russia and targeting Ukrainian assets. If your organization is solely based in Mexico and does no business in Ukraine, hunting for those types of threats would not have had a significant return on investment.
Consider your global placement, national placement, and regional placement when creating your hypothesis.
Technology Stack
Nothing is worse than creating a hypothesis, running queries, and finding that the technique you are hunting doesn’t impact any of the technology in your stack. Make sure you understand the applications, operating systems, hardware, and networks that make your business run.
If your organization uses GSuite for email, hunting the exploitation of a Microsoft Exchange vulnerability would not be a good use of your time.
Crown Jewels
Your business’ crown jewels are the very important people, assets, processes, or applications that drive revenue and success to your business. There is a dependency here that you need to complete an assessment before conducting these types of hunts, but the value is tremendous.
Creating hypotheses based on crown jewel relevancy should not be a frequent activity as the hunts produced are often very resource intensive. However, it is a fantastic option for more mature threat hunting programs.
Trends
Looking at the types of threats that have historically impacted the business can also inform very relevant threat hunts. If there is a high rate of phishing incidents, conducting an email based threat hunt may be more impactful to your organization than a hunt around Discord C2 communications. Likewise, if most incidents start from unpatched web applications, hunting against your externally facing assets may be more powerful than other hunts.
For new threat hunters, creating hypotheses around trends helps build confidence toward more creative and complex hunts. It also builds collaboration and communication between proactive and reactive security teams.
Conclusion
By combining relevancy and hypothesis diagramming, you can supercharge your hypotheses and hunt what matters most to your organization. Like most things, creating a strong hypothesis takes time and practice, the more you iterate on this process, the more success you will find.
Don’t be afraid to collaborate with other hunters on creating a hypothesis. There are tons of communities of folks who are willing to work together to make each other better.
If you have any questions or want to talk about threat hunting more, feel free to connect on Twitter or Infosec Exchange - @jotunvillur. Happy hunting!