<aside> 📌 There is a certain level of assumed knowledge in this article. A glossary is included with links to further reading material which provides sufficient context.
</aside>
Threat hunting has been banded about a lot in recent years. It has become the ultimate buzzword. Many organisations have decided to adopt this function or at least have someone responsible for hunting amongst their security team.
I have spent the past 2-3 years working in threat hunting with prior experience in Digital Forensics and Incident Response (DFIR) and multiple roles within security monitoring.
There are many books, documents, blog posts, reports and papers available to read about hunting but I can say from experience that not all of it is useful and each have their own definition or understanding about what hunting is for, how is should be applied and how it should integrate into the security practice. There is certainly no de-facto ‘industry standard’.
Despite being fairly experienced and leveraging knowledge from other departments to help me in my threat hunting journey, I only realise that after 2 years of being in a dedicated role, how little I really knew.
It has taken a lot of reading, reviewing, hands-on trial and error as well as countless conversations with many heavily experienced professionals to try and ascertain a reliable, consistent and repeatable methodology for preparing, conducting and outputting a threat hunt.
This article will cover the three core components required to produce an effective and useful threat hunt. At its core threat hunting is about telling a story; providing a beginning middle and end, detailing the origins, adventures and conclusion of a topic or character (in our case a hypothesis) respectively.
<aside> 📌 This article is not ‘gospel’, others may conclude crucial information missing from this post as well as the inclusion of unnecessary information. These are my opinions and purely based on my experiences and understandings.
</aside>
At various points throughout a story there are tangents which reveal themselves. Each of these tangents could be a story in it’s own right, but we don’t interrupt this book with another, we finish this book to understand this topic in it entirety before expanding our knowledge of the wider world. In essence, as you uncover additional information throughout your hunt, stay on target and continue the hunt in the parameters defined by your hypothesis. You can perform subsequent hunts after completing this one.
If you don't know where you are going, you'll end up someplace else. Yogi Berra
The main objective with hunting is to uncover unknown unknowns (things that we don’t know, we don’t know) into known unknowns (things that we know, that we do not know) and converting unknown knowns and known unknowns in known knowns (things that we know, we know) [https://www.theuncertaintyproject.org/tools/rumsfeld-matrix].
https://info.veritasts.com/insights/unknown-unknowns-how-to-manage-risk-against-the-unexpected
In summary, we are trying to gain as much insight as possible into as many things as possible by collecting data, to infer information and gain more understanding; the more data you collect, the more information you can infer and the more intelligence can be gained.