2.1 Developing Hypotheses - MAD20 Threat Hunting & Detection Engineering Course

MAD20Tech
25 Apr 202407:45

Summary

TLDRThis module delves into developing hypotheses and abstract analytics in the threat hunting methodology. It emphasizes the importance of formulating testable hypotheses based on TTP insights and evidence, guiding data collection and analytic development. A good hypothesis should be specific, evidence-driven, and falsifiable, helping to focus research and reason about behavior naturally. The process involves iterative refinement to address nuances and false positives, ultimately aiding in identifying malicious activity.

Takeaways

  • πŸ”Ž The module focuses on developing and refining hypotheses and abstract analytics to explore for evidence of malicious activity.
  • πŸ“ A hypothesis is defined as a supposition or proposed explanation made on limited evidence as a starting point for further investigation.
  • πŸ“‹ A well-formed hypothesis should be specific, evidence-driven, testable, and falsifiable to guide data collection and analysis.
  • 🧐 Hypotheses are crafted using TTP insights and existing knowledge of adversary behavior to make claims about potential malicious activity.
  • πŸ” The development of hypotheses helps in focusing the research, data collection, and analytic development for a deeper understanding of the environment.
  • πŸ€” A hypothesis should be framed in a way that allows for testing to gain additional evidence and should consider what evidence would support or refute it.
  • 🚫 A hypothesis should be falsifiable, meaning it can be disproven through testing, avoiding statements that are indistinguishable from benign usage.
  • πŸ›  Hypothesis creation is an iterative process that involves continual updating and refinement based on evidence and evaluation of falsifiability.
  • πŸ“– Writing a hypothesis in plain language helps facilitate reasoning and understanding without being constrained by specific query syntax.
  • πŸ”‘ Hypotheses should be specific enough to avoid false positives and should incorporate key elements of the suspected malicious behavior.
  • πŸ”„ The process of hypothesis refinement involves considering benign scenarios and addressing them to focus on identifying actual malicious usage.

Q & A

  • What is the main focus of module two in the threat hunting methodology?

    -Module two focuses on developing and refining hypotheses and abstract analytics to explore hunting for evidence that indicates a malicious actor may be present.

  • What is the definition of a hypothesis according to the Oxford dictionary?

    -A hypothesis is defined as a supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation.

  • What are the criteria that a good hypothesis should meet?

    -A good hypothesis should be specific enough to be useful, evidence-driven, testable to gain additional evidence, and falsifiable, meaning it can be disproven through testing.

  • Why is it important to create a hypothesis that is specific?

    -A specific hypothesis helps to focus the problem, making it easier to scope data collection and analysis, and avoiding vagueness that could lead to inadequate answers.

  • How does a hypothesis help in the threat hunting process?

    -A hypothesis provides clarity in thinking about what is being looked for, helps reason about behavior naturally, and bridges narrative information about behavior to concrete analytics.

  • What is the purpose of creating a hypothesis in the context of threat hunting?

    -Creating a hypothesis helps to provide focus for research, data collection, and analytic development, allowing for a deeper understanding of what an analytic does and what can trigger false positives.

  • Why should a hypothesis be falsifiable in scientific terms?

    -A falsifiable hypothesis is one that can be disproven through testing, which is essential for scientific rigor and to avoid making claims that cannot be objectively evaluated.

  • What is an example of a hypothesis that is not falsifiable?

    -An example of a non-falsifiable hypothesis is 'a malicious actor will use extreme stealth to operate in a way that will be indistinguishable from benign usage,' as there would be no evidence to examine if the claim were correct.

  • How does the process of hypothesis refinement help in threat hunting?

    -Hypothesis refinement helps to account for nuances not captured during initial development and focuses on malicious usage, improving the accuracy and effectiveness of the hypothesis.

  • What should be the language of a hypothesis in the methodology stage?

    -A hypothesis should be written in plain, human-understandable language to facilitate reasoning and understanding without the constraints of specific query syntax and to allow for sharing of thoughts and ideas.

  • Can you provide an example of how to refine a hypothesis based on the script?

    -An initial hypothesis like 'if a task is scheduled, an adversary is establishing persistence' can be refined to 'if a task is scheduled by a non-admin user, an adversary is establishing persistence' to account for benign task scheduling by administrators.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now
Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Related Tags
Threat HuntingHypothesis DevelopmentCybersecurityData CollectionAnalytic TestingMalicious ActivityEvidence-DrivenSecurity MethodologyTTP InsightsAbstract Analytics