Formulating a hypothesis is the first – and most important – step in threat hunting. A hypothesis can be formed based on three different types of information:
Threat Intelligence-Based Hypothesis
This kind of hypothesis leverages information from threat intelligence databases to identify indicators of compromise (IOC) or known tactics, techniques, and processes (TTP) that are linked to identified attacks.
For example, a threat intelligence database reports that the hacking group IAMNEO is using malware that sends beaconing requests to infrastructure based in Vietnam. In order to find out if this threat is present in their environment, the threat hunter may then look for evidence of beaconing traffic to IPs based in Vietnam.
Situational Awareness-Based Hypotheses
This type of hypothesis is based on the threat hunter identifying significant changes to the IT environment, which can be an indicator of an attack.
For example, mergers and acquisitions can be an opportunity for an attack, especially when they are public knowledge. Security analysts could decide to investigate the acquired organization’s network for potential hidden threats.
Domain Expertise-Based Hypotheses
This type of hypothesis is built using specific knowledge that the analyst has about the organization’s environment in order to anticipate attacks and look for signs of possible compromises.
For example, the security analyst may learn about a specific exploit that has been used against other organizations that use the same VPN software. With this knowledge, the analyst hypothesizes that the same exploit could be used against their organization and looks for signs of compromise, such as newly created, unauthorized administrative user accounts.