Understanding Threat Hunting Initiation
How is the hypothesis formed?
When I first learned about Threat Hunting, the biggest question I had was, how is the hypothesis formed, how do you come to the point of forming a hypothesis that serves as the basis for the threat hunting investigation. After spending time in my home lab I believe I have answered the question for myself or at least for my lab environment.
I have started writing SOC analysis reports based on alerts triggered in my Splunk instance. One of the things I have learned from conducting adversary emulation exercises, is that an attack can lead to multiple alerts getting triggered. These alerts individually are only puzzle pieces that when put together tell a bigger story than what is indicated by each alert alone.
I began thinking ahead, ok so once I have several reports, the hypothesis could be formed from reviewing multiple reports filed on different alerts, and this would initiate a threat hunting exercise. This is an exciting realization to me because It lets me see how to utilize the reports Im writing. The reports themselves open the door to conducting treat detection in my home lab environment.
Its been about a year since I wrote a SOC analysis report and recently got my lab to a point where this is a logical next step to begin working on. So understanding how to further utilize these reports once I have several completed opens the next door.
Skills building on top of skills, deeper understanding of how things connect and work together. This is a great learning experience!
