Devo acquires Kognos to build a next-gen 'Autonomous SOC'.  Learn more!

the importance of hunt hypotheses

March 2022

Every Good Threat Hunting Program is Backed By An Arsenal of Good Hunt Hypotheses

When it comes to threat hunting, you can’t just throw your net out and see what you catch. You need a starting point - something specific you can look for that is most likely connected to or will lead you to a threat. We refer to these as hunt hypotheses; an educated guess, based on past experience, a breach report, the MITRE ATT&CK framework, or any other lead you may have that helps you figure out where to start and what to look for.

For example, you may try to find:

  • Attack behavior: using known attack methodologies and techniques (which may have been documented in the MITRE framework or a breach report) to uncover discovery activity, lateral movement, privilege escalation, living off the land tactics, binary usage, communications to suspicious domains/IP addresses, new binaries/applications, which could be part of an attack. 
  • Anomalies: using techniques like clustering, classification, stacking, machine learning, and anomaly detection to find changes in frequency, time, rate, etc. applied to a particular user, device, domain, tool, IP address, etc., which can reveal anomalous behavior indicative of a threat. 
  • Known threats: using historical data (signatures/patterns/malware hashes) of known attacks to find known threats.

Some things are harder to look for than others. The Pyramid of Pain (see below) illustrates how difficult it is to identify certain indicators to prove a threat hypothesis. The bottom of the pyramid represents things that are easy to look for and identify, like known bad hash values, IP addresses, and domain names. These are things that when you see them, you know you’ve found a threat. The higher up you go, however, the harder it is. The top of the pyramid is really where your threat hunting program needs to focus. It’s where an arsenal of solid hunt hypotheses will help you systematically uncover some of the most obscure attack tactics - and build your proficiency.

Pyramid of Pain

The more hypotheses you have, the more you can look for, and the more you can potentially find.

Having an arsenal of hunt hypotheses is but one of the elements critical to your team's ability to effectively track down attackers in your environment. Learn about the others - and how you can attain them - in our newly published ebook: "The 5 Elements of an Effective Threat Hunting Program."

Kognos continuously monitors billions of relationships to detect suspicious behavior. Once detected, Kognos uses an AI powered inquiry engine to ask thousands of forensic questions per second to fully contextualize the attack and present the findings as complete attack campaigns, allowing the analyst to respond in real-time.


Oxygen Icon Box

2064 Walsh Ave, STE C1
Santa Clara, 
California - 95050

Oxygen Icon Box

Copyright © 2021 Kognos, Inc. All Rights Reserved.
envelopemap-markercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram