The Anatomy of a Threat Hunting Hypothesis
OVERVIEW
This presentation is based off a blog post that explains how to create more effective threat hunting hypotheses using sentence diagramming and impact multipliers. A version of this presentation has been given in 20 minute and 45 minute formats.
The first half of the presentation will illustrate a technique called hypothesis diagramming. This process involves defining a technique, target, and action on objective (or payload) for each hunt. This method teaches analysts or threat hunters a repeatable process for creating hypotheses that ensures an adequate scope is always defined. This is almost like Mad Libs for threat hunt hypotheses. In addition, I will include several examples of real hunt hypotheses with the respective elements mapped.
The second half of the presentation will focus on the various impact multipliers that can be applied to a hypothesis to increase relevancy and potential output. This will discuss five common impact multipliers of relevancy: industry, geolocation, technology stack, VIP status, and trends. Each impact multiplier can tweak a hypothesis to take it from generic to organization specific. For example, if you work for university in Kansas that doesn’t operate out of the state, hunting for point of sale malware that impacts North Korean grocery stores may not be the best use of the time.
Wrapping up, this presentation will give examples of hypothesis diagramming + impact multipliers and real hypothesis examples. Several more advanced hunting resources will be provided at the end of the presentation, in addition to ten more hypotheses for people to explore further.