2.1 Developing Hypotheses - MAD20 Threat Hunting & Detection Engineering Course

MAD20Tech
25 Apr 202407:45

Summary

TLDRThis module delves into developing hypotheses and abstract analytics in the threat hunting methodology. It emphasizes the importance of formulating testable hypotheses based on TTP insights and evidence, guiding data collection and analytic development. A good hypothesis should be specific, evidence-driven, and falsifiable, helping to focus research and reason about behavior naturally. The process involves iterative refinement to address nuances and false positives, ultimately aiding in identifying malicious activity.

Takeaways

  • 🔎 The module focuses on developing and refining hypotheses and abstract analytics to explore for evidence of malicious activity.
  • 📝 A hypothesis is defined as a supposition or proposed explanation made on limited evidence as a starting point for further investigation.
  • 📋 A well-formed hypothesis should be specific, evidence-driven, testable, and falsifiable to guide data collection and analysis.
  • 🧐 Hypotheses are crafted using TTP insights and existing knowledge of adversary behavior to make claims about potential malicious activity.
  • 🔍 The development of hypotheses helps in focusing the research, data collection, and analytic development for a deeper understanding of the environment.
  • 🤔 A hypothesis should be framed in a way that allows for testing to gain additional evidence and should consider what evidence would support or refute it.
  • 🚫 A hypothesis should be falsifiable, meaning it can be disproven through testing, avoiding statements that are indistinguishable from benign usage.
  • 🛠 Hypothesis creation is an iterative process that involves continual updating and refinement based on evidence and evaluation of falsifiability.
  • 📖 Writing a hypothesis in plain language helps facilitate reasoning and understanding without being constrained by specific query syntax.
  • 🔑 Hypotheses should be specific enough to avoid false positives and should incorporate key elements of the suspected malicious behavior.
  • 🔄 The process of hypothesis refinement involves considering benign scenarios and addressing them to focus on identifying actual malicious usage.

Q & A

  • What is the main focus of module two in the threat hunting methodology?

    -Module two focuses on developing and refining hypotheses and abstract analytics to explore hunting for evidence that indicates a malicious actor may be present.

  • What is the definition of a hypothesis according to the Oxford dictionary?

    -A hypothesis is defined as a supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation.

  • What are the criteria that a good hypothesis should meet?

    -A good hypothesis should be specific enough to be useful, evidence-driven, testable to gain additional evidence, and falsifiable, meaning it can be disproven through testing.

  • Why is it important to create a hypothesis that is specific?

    -A specific hypothesis helps to focus the problem, making it easier to scope data collection and analysis, and avoiding vagueness that could lead to inadequate answers.

  • How does a hypothesis help in the threat hunting process?

    -A hypothesis provides clarity in thinking about what is being looked for, helps reason about behavior naturally, and bridges narrative information about behavior to concrete analytics.

  • What is the purpose of creating a hypothesis in the context of threat hunting?

    -Creating a hypothesis helps to provide focus for research, data collection, and analytic development, allowing for a deeper understanding of what an analytic does and what can trigger false positives.

  • Why should a hypothesis be falsifiable in scientific terms?

    -A falsifiable hypothesis is one that can be disproven through testing, which is essential for scientific rigor and to avoid making claims that cannot be objectively evaluated.

  • What is an example of a hypothesis that is not falsifiable?

    -An example of a non-falsifiable hypothesis is 'a malicious actor will use extreme stealth to operate in a way that will be indistinguishable from benign usage,' as there would be no evidence to examine if the claim were correct.

  • How does the process of hypothesis refinement help in threat hunting?

    -Hypothesis refinement helps to account for nuances not captured during initial development and focuses on malicious usage, improving the accuracy and effectiveness of the hypothesis.

  • What should be the language of a hypothesis in the methodology stage?

    -A hypothesis should be written in plain, human-understandable language to facilitate reasoning and understanding without the constraints of specific query syntax and to allow for sharing of thoughts and ideas.

  • Can you provide an example of how to refine a hypothesis based on the script?

    -An initial hypothesis like 'if a task is scheduled, an adversary is establishing persistence' can be refined to 'if a task is scheduled by a non-admin user, an adversary is establishing persistence' to account for benign task scheduling by administrators.

Outlines

00:00

🔎 Developing Hypotheses and Abstract Analytics

This paragraph introduces Module 2 of the threat hunting methodology, focusing on the development and refinement of hypotheses and abstract analytics. It emphasizes the importance of using TTP insights to form testable hypotheses about potential malicious activity. The paragraph outlines the criteria for a well-formed hypothesis: it must be specific, evidence-driven, testable, and falsifiable. The process of hypothesis creation is described as iterative, allowing for continuous refinement based on evidence. The purpose of creating hypotheses in threat hunting is to clarify thinking, reason about behavior naturally, and bridge the gap between narrative information and concrete analytics. The paragraph also provides an example of how to refine a hypothesis to reduce the likelihood of false positives and ensure it remains falsifiable.

05:03

🚔 Hypothesis Refinement and Cybersecurity Application

The second paragraph delves deeper into the process of hypothesis refinement using the analogy of a burglar breaking into a home by kicking open locked doors. It illustrates how a hypothesis can be made more specific and less prone to false positives by incorporating key elements of the malicious technique. The paragraph also discusses the importance of gathering evidence to support or refute the hypothesis and the need to consider benign scenarios that could mimic malicious activity. A cyber-related example is provided, where the hypothesis evolves from a general statement about task scheduling to a more specific one that considers the user role in task creation. The paragraph concludes by reiterating the importance of a solid hypothesis being specific, evidence-driven, and falsifiable to guide effective research in cybersecurity.

Mindmap

Keywords

💡Hypothesis

A hypothesis is a proposed explanation made on the basis of limited evidence as a starting point for further investigation. In the context of the video, a hypothesis serves as a supposition about potential malicious activity that can be tested and refined through data collection and analysis. The script emphasizes the importance of creating specific, evidence-driven, and falsifiable hypotheses to guide threat hunting operations and to focus research efforts effectively.

💡Threat Hunting

Threat hunting refers to the proactive search for potential security threats that may not be detected by traditional security measures. In the video, it is the process of developing and refining hypotheses and abstract analytics to explore for evidence indicating the presence of a malicious actor. The methodology described involves using TTP insights to formulate testable claims about malicious activities within an environment.

💡Abstract Analytics

Abstract analytics in the video refers to a conceptual approach to analyzing data that is not tied to specific query syntax or platform. It is about understanding patterns and behaviors that could indicate malicious activity. The script discusses the importance of formulating abstract analytics to guide the development of more concrete analytic tools and to facilitate reasoning about behavior in a way that is not constrained by specific technologies.

💡TTP (Tactics, Techniques, and Procedures)

TTP stands for Tactics, Techniques, and Procedures, which are the methods used by adversaries to carry out cyber attacks. The script mentions using TTP insights to develop hypotheses about what behaviors or patterns might indicate malicious activity. Understanding TTPs helps in crafting more accurate and relevant hypotheses for threat hunting.

💡Evidence-Driven

Being evidence-driven means basing one's hypothesis or conclusions on the available data or evidence. The video emphasizes the importance of using existing techniques, knowledge of adversary behavior in TTPs, and findings from research and investigation to support the development of a hypothesis. This approach ensures that hypotheses are grounded in reality and can be tested and refined.

💡Falsifiable

A falsifiable hypothesis is one that can be disproven through testing. The script explains that a good scientific hypothesis should be falsifiable, meaning there should be a way to gather evidence that could potentially show the hypothesis to be incorrect. This is crucial for the scientific process of hypothesis testing in threat hunting.

💡Data Collection

Data collection is the process of gathering and assembling information that is relevant to the hypothesis being tested. In the video, data collection is highlighted as a critical step following the development of a hypothesis, as it provides the necessary information to analyze and test the hypothesis for indications of malicious activity.

💡Analytic Development

Analytic development involves creating tools and methods for analyzing data to detect patterns or anomalies that could indicate a security threat. The video discusses how hypotheses guide the development of these analytics, which are then used to test the hypotheses and gather further evidence.

💡Malicious Actor

A malicious actor in the context of the video refers to an individual or entity that is suspected of carrying out unauthorized or harmful activities within a computer system or network. The script discusses the process of developing hypotheses to test for the presence of such actors and the evidence that might indicate their activities.

💡Iterative Process

An iterative process is one that is repeated several times, with each repetition allowing for refinement and improvement based on the results of the previous cycles. In the video, the creation and refinement of hypotheses is described as an iterative process that involves continuous updating based on new evidence and insights gathered during threat hunting.

💡False Positives

False positives occur when a security system incorrectly identifies a benign activity as malicious. The video script discusses the importance of refining hypotheses to minimize false positives, ensuring that the analytic tools developed are as accurate as possible in identifying real threats.

Highlights

Module 2 focuses on developing hypotheses and abstract analytics to explore for evidence of malicious actors.

Hypotheses guide data collection, analytic development and future hunting operations.

A hypothesis should be specific enough to be useful and help focus the problem.

Evidence from techniques, adversary behavior, and research should drive hypothesis development and refinement.

A good hypothesis is testable and can be proven or disproven through evidence.

Falsifiability is key - a hypothesis should be able to be disproven through testing.

Creating a hypothesis helps clarify thinking, reason about behavior, and bridge narrative to concrete analytics.

Hypothesis creation is an iterative process of continual updating and refinement based on evidence.

Evaluating falsifiability helps expose potential false alarm scenarios not captured initially.

A hypothesis should be written in plain language to facilitate reasoning and understanding.

Starting the hypothesis development process involves choosing a behavior and identifying evidence of malicious activity.

The example of burglars kicking open doors illustrates the need for specificity and falsifiability in hypotheses.

Continuous sensing and monitoring are required to gather evidence to support or refute a hypothesis.

Refined hypotheses should address identified nuances and focus on capturing malicious usage.

In the cyber example, the hypothesis evolves from 'if a task is scheduled' to 'if a non-admin user schedules a task'.

A solid hypothesis should be specific, evidence-driven, and falsifiable to effectively guide research.

Transcripts

play00:00

hello and welcome to module two

play00:02

developing hypotheses and Abstract

play00:06

analytics this module will cover step

play00:08

two of the threat hunting

play00:10

methodology in it we will develop and

play00:12

refine hypotheses and Abstract analytics

play00:14

to explore hunting for evidence that

play00:16

indicates a malicious actor may be

play00:18

present we will also discuss the purpose

play00:20

of and how to formulate abstract

play00:22

analytics as well as how to leverage

play00:24

external resources to help with this

play00:27

effort during this step in the

play00:29

methodology ology we will use TTP

play00:31

insights to develop hypotheses that we

play00:33

can test during our hunt in order to

play00:35

make claims about malicious activity in

play00:37

an

play00:38

environment the hypotheses developed in

play00:40

this step will guide our data collection

play00:42

requirements analytic development and

play00:45

future hunting

play00:47

operations later on in the methodology

play00:49

we'll use the collected data and

play00:51

concrete analytics to test these

play00:54

hypotheses hello and welcome to lesson

play00:57

2.1 developing hypotheses

play01:02

in this lesson we will describe the

play01:04

purpose of and characteristics of a

play01:06

well-formed

play01:08

hypothesis so what is a

play01:11

hypothesis the Oxford dictionary defines

play01:13

a hypothesis as a supposition or

play01:16

proposed explanation made on the basis

play01:18

of limited evidence as a starting point

play01:20

for further

play01:22

investigation in other words a

play01:24

hypothesis describes unproven but

play01:26

suspected ideas about why something may

play01:28

be

play01:28

happening

play01:30

a good hypothesis needs to meet certain

play01:32

criteria the first of which is being

play01:34

specific enough to be

play01:36

useful a hypothesis that is too vague

play01:38

doesn't help Focus the problem enough to

play01:40

be adequately answerable for example

play01:43

scoping what data to collect and what

play01:44

time frame to cover amongst many other

play01:47

factors being more specific helps to

play01:50

hone in on a more focused statement to

play01:51

drive research analysis and data

play01:55

collection a good hypothesis should also

play01:57

be evidence-driven throughout the

play02:00

process of crafting a hypothesis you

play02:01

should use as much evidence as possible

play02:04

such as existing techniques and

play02:05

knowledge of adversary behavior in ttps

play02:08

as well as findings from your own

play02:09

research and Hands-On

play02:11

investigation evidence should also Drive

play02:14

hypothesis refinement to account for

play02:15

nuances not captured during initial

play02:18

development your hypothesis should be

play02:20

framed in a way that can be tested to

play02:22

gain additional evidence here it is

play02:24

important to think about what type of

play02:26

evidence would support your initial

play02:27

claim as well as what evidence would ref

play02:31

it finally a good scientific hypothesis

play02:34

should be falsifiable meaning it is able

play02:36

to be disproven through

play02:38

testing an example that is not

play02:40

falsifiable would be a malicious actor

play02:42

will use extreme stealth to operate in a

play02:45

way that will be indistinguishable from

play02:46

benign

play02:47

usage given the way the statement is

play02:49

written there would be no evidence to

play02:51

examine if it were in fact correct and

play02:54

thus it cannot be proven

play02:56

false so why should we care about taking

play02:58

the time to create hypothesis while

play03:00

threat

play03:01

hunting well a good hypothesis helps

play03:03

clarify your thinking about what you're

play03:05

looking for it also helps you reason

play03:08

about behavior in a natural way without

play03:10

getting bogged down in query syntax and

play03:12

helps to bridge narrative information

play03:14

about Behavior to concrete

play03:17

analytics a good hypothesis will provide

play03:19

Focus for research data collection and

play03:22

analytic development that allows for a

play03:24

deeper understanding of what an analytic

play03:25

does what it means when an alert fires

play03:28

and what can trigger false

play03:31

positives hypothesis creation is truly

play03:34

an iterative process that allows for

play03:36

continual updating and refinement based

play03:38

on

play03:39

evidence during this process thinking

play03:42

through and evaluating the statement's

play03:44

falsifiability helps to expose potential

play03:46

false alarm scenarios that were not

play03:48

captured during initial

play03:50

development these types of scenarios

play03:52

help to capture those nuances and drive

play03:54

hypothesis refinement in a way that

play03:56

focuses on malicious

play03:58

usage at this this stage in the

play04:00

methodology a hypothesis should be

play04:02

written in plain human understandable

play04:04

language as it helps facilitate

play04:06

reasoning and understanding in an

play04:07

abstract way that avoids the constraints

play04:09

of any specific query

play04:12

syntax it also allows for sharing of

play04:14

thoughts and ideas anal loss for

play04:16

hypotheses to endure across changes in

play04:18

implementation such as query language or

play04:22

platform to begin this process start by

play04:24

choosing a behavior and develop a

play04:26

hypothesis around what evidence would

play04:28

indicate that a malicious Act is

play04:30

exhibiting this Behavior now let's walk

play04:32

through some

play04:34

examples in this first example we

play04:36

observe that burglers sometimes enter

play04:38

homes by kicking open locked doors to

play04:41

steal

play04:42

property this may lead us to develop the

play04:45

hypothesis if the door opens a burglar

play04:47

is breaking

play04:49

in as we can see this hypothesis is much

play04:51

too vague as it leaves lots of room for

play04:53

false positives for example if a

play04:56

homeowner enters they may also open the

play04:58

door

play05:03

a better hypothesis would be if the door

play05:05

opens while still locked a burglar is

play05:07

breaking

play05:08

in this statement is more specific as it

play05:11

incorporates key elements of the

play05:13

malicious technique of kicking open

play05:15

locked

play05:16

doors it's important to note that

play05:18

Gathering the evidence to either support

play05:20

or refute this claim will require

play05:22

continuous sensing to determine if the

play05:23

door is open and if it is

play05:26

locked this statement is also

play05:28

falsifiable in that evidence can be

play05:30

collected to show non-malicious opening

play05:32

of the door without it being unlocked

play05:34

for example emergency Personnel such as

play05:37

a firefighter may open the door without

play05:39

unlocking it in response to a fire alarm

play05:42

we would need to think through some more

play05:43

benign scenarios such as that one and

play05:45

try to address it in future

play05:49

iterations going into our last iteration

play05:51

we have refined our hypothesis to read

play05:53

if the door opens while locked but no

play05:56

911 call has been made and no fire alarm

play05:58

is active then a burglar is breaking in

play06:01

this statement is still specific and

play06:03

attempts to address the nuances that we

play06:05

previously

play06:06

identified it is also still falsifiable

play06:09

as evidence can still be generated to

play06:11

disprove the claim such as someone

play06:13

calling 911 while a burglar is in fact

play06:15

still breaking

play06:16

in this statement however is much less

play06:19

likely to be false compared to earlier

play06:23

statements now to move on to a cyber

play06:26

related example we have observed that

play06:28

adversaries maintain persistence on a

play06:30

compromised host by scheduling tasks for

play06:32

example setting up malicious software to

play06:35

run at startup or some other specified

play06:37

time we begin with the hypothesis that

play06:40

if a task is scheduled an adversary is

play06:42

establishing

play06:44

persistence this statement is somewhat

play06:46

specific in that it incorporates key

play06:48

elements of the behavior for example

play06:50

scheduling tasks although it will also

play06:52

require a continuous monitoring to

play06:54

determine if a task is being or has been

play06:57

scheduled it is also Al falsifiable and

play07:00

that evidence can be obtained of benign

play07:02

task scheduling such as by a system

play07:06

administrator a refined hypothesis that

play07:08

takes this fact into account is if a

play07:11

task is scheduled by a non-admin user an

play07:13

adversary is establishing

play07:16

persistence again the statement is still

play07:18

falsifiable but less likely to be false

play07:20

than the previous one it also will not

play07:23

catch instances of a malicious task

play07:25

being scheduled by an administrator

play07:27

which may be acceptable at this point

play07:29

but a weakness of the hypothesis to keep

play07:31

in mind as we move

play07:33

forward in summary a solid hypothesis

play07:37

should be specific evidence-driven and

play07:39

falsifiable and it is important to have

play07:41

a strong hypothesis as it will guide the

play07:43

rest of your research

Weitere ähnliche Videos ansehen

2.2 Hypothesis Considerations - MAD20 Threat Hunting & Detection Engineering Course

Hypothesis Testing - Null and Alternative Hypotheses

The scientific method

Lean 6 Sigma -- Module 2 Hypothesis Testing

Feynman on Scientific Method.

Qualitative and Quantitative Research

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Ähnliche Tags
Threat HuntingHypothesis DevelopmentCybersecurityData CollectionAnalytic TestingMalicious ActivityEvidence-DrivenSecurity MethodologyTTP InsightsAbstract Analytics
Benötigen Sie eine Zusammenfassung auf Englisch?