eBook: The 5 Elements of an Effective Threat Hunting Program. Download Now

Menu

the importance of hunt hypotheses

March, 2022

Every Good Threat Hunting Program is Backed By An Arsenal of Good Hunt Hypotheses

When it comes to threat hunting, you can’t just throw your net out and see what you catch. You need a starting point - something specific you can look for that is most likely connected to or will lead you to a threat. We refer to these as hunt hypotheses; an educated guess, based on past experience, a breach report, the MITRE ATT&CK framework, or any other lead you may have that helps you figure out where to start and what to look for.

For example, you may try to find:

  • Attack behavior: using known attack methodologies and techniques (which may have been documented in the MITRE framework or a breach report) to uncover discovery activity, lateral movement, privilege escalation, living off the land tactics, binary usage, communications to suspicious domains/IP addresses, new binaries/applications, which could be part of an attack.
  • Anomalies: using techniques like clustering, classification, stacking, machine learning, and anomaly detection to find changes in frequency, time, rate, etc. applied to a particular user, device, domain, tool, IP address, etc., which can reveal anomalous behavior indicative of a threat.
  • Known threats: using historical data (signatures/patterns/malware hashes) of known attacks to find known threats.

Some things are harder to look for than others. The Pyramid of Pain (see below) illustrates how difficult it is to identify certain indicators to prove a threat hypothesis. The bottom of the pyramid represents things that are easy to look for and identify, like known bad hash values, IP addresses, and domain names. These are things that when you see them, you know you’ve found a threat. The higher up you go, however, the harder it is. The top of the pyramid is really where your threat hunting program needs to focus. It’s where an arsenal of solid hunt hypotheses will help you systematically uncover some of the most obscure attack tactics - and build your proficiency.

Pyramid of Pain

The more hypotheses you have, the more you can look for, and the more you can potentially find. Of course, this necessitates being able to run all these hypotheses - on a regular basis - across your environment, using an automated, AI/ML-based engine that can keep up and scale with your needs.

At Kognos, we have pioneered an autonomous threat hunting system that executes hunts for threats as a threat hunter would - from start to finish - delivering complete attack stories in minutes that document everything of analytical interest.

With Kognos, threat hunters can quickly remediate attacks and get ahead of emerging threats, knowing nothing was missed and nothing is left unanswered. This allows threat hunters to focus on creating additional hunt hypotheses, questions, and actions to be fed into the Kognos autonomous system. Threat hunters can also share successful hunt hypotheses, via the Kognos content cloud, allowing other threat hunters to take advantage of them at the click of a button, and reduce MTTD and MTTR metrics considerably.

Learn more - The 5 Elements of an Effective Threat Hunting Program

Kognos continuously monitors billions of relationships to detect suspicious behavior. Once detected, Kognos uses an AI powered inquiry engine to ask thousands of forensic questions per second to fully contextualize the attack and present the findings as complete attack campaigns, allowing the analyst to respond in real-time.

Contact

Oxygen Icon Box

2064 Walsh Ave, STE C1
Santa Clara, 
California - 95050

Oxygen Icon Box

info@kognos.io

Copyright © 2021 Kognos, Inc. All Rights Reserved.
envelopemap-markercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram