CYBER HUNT OVERVIEW
Cyber Hunting is an iterative process that should be carried out in a loop to continuously look for adversaries hidden in vast datasets. Hunting begins with a hypothesis and should be carried out based on questions that the analyst wants to answer. Sqrrl’s Threat Hunting framework defines three types of hypotheses:
SERVICE METHODOLOGY
Cyber Hunting is an iterative process that should be carried out in a loop to continuously look for adversaries hidden in vast datasets. Hunting begins with a hypothesis and should be carried out based on questions that the analyst wants to answer. Sqrrl’s Threat Hunting framework defines three types of hypotheses:
- Intelligence-Driven: Created from threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans
- Situational-Awareness Driven: Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends
- Analytics-Driven: Machine-learning and User and Entity Behavior Analytics, used to develop aggregated risk scores that can also serve as hunting hypotheses
The outcomes of hunting trips, including newly discovered Indicators of Compromise (IoCs) and Tactics, Techniques and Procedures (TTPs), should be stored and used to enrich automated detection systems and analytics. Strengthening your automated detection systems is the ultimate goal of hunting.