Just having raw data is not enough to conduct a meaningful hunt. Hunters must
use tools that provide a detailed picture of data like network traffic patterns, file
hashes, system and event logs, user activity, file operations and all other activities.
Detecting abnormal activities triggered by threat actors becomes easier if threat
hunters understand the baseline normal. Determining the organization’s
structure, its framework , business activities and user behaviors helps create
hypothesis to investigate anomalies.
Hypothesis formation and testing includes leveraging tools, frameworks, threat
intel and past experiences to quickly detect the root cause behind the threats
and efficiently respond to them. Some of the widely used threat intelligence
include Virus total, IBMM Xforce, and AlianVault.
The next step involves discovering malicious patterns in the data cycle and
uncovering the attacker’s TTPs with the help of various tools and techniques.
It helps validate the nature, impact, and scope of the generated hypothesis.
After uncovering any anomaly, it is essential to neutralize the threat with rapid response and remediation. In addition to protecting the system from a perceived threat, hunters must initiate measures that help prevent similar attacks in the future as well.
The last step includes using the discoveries made during an investigation to form a basis for automated analytics. This improves EDR systems and helps
analyze future incidents more effectively, compared to the knowledge base