SECURITY

Hypothesis-Driven Hunting with the PEAK Framework

David Bianco By David Bianco May 08, 2023

Picture yourself as a cyber detective, ready to uncover the hidden threats lurking in the shadows of your organization's network. Sounds exciting, right? Well, hypothesis-driven hunting is all about channeling your inner Hercule Poirot to stay one step ahead of adversaries working against you. 

The PEAK threat hunting framework identifies three primary types of hunts:

  • Hypothesis-Driven Hunts
  • Baseline Hunts
  • Model-Assisted Threat Hunts (M-ATH)

In this post, we’re going to look at hypothesis-driven hunting in detail. This method serves as a starting point for many hunters, as it encourages critical thinking and proactive investigation. 

Creating Hunting Hypotheses

As we wrote in our introduction to the PEAK framework, hypothesis-driven hunting is “the classic approach, where hunters form a supposition about potential threats and their activities that may be present on the organization’s network, then use data and analysis to confirm or deny their suspicions.” If you remember your grade-school science class, you might recall that hypotheses are a key component of the scientific method, and that’s not by accident! 

A hunting hypothesis is the foundation upon which your cyber detective journey is built. Think of it as the central hunch or educated guess that guides your investigation based on your intuition, experience, and research. Crafting a solid hunting hypothesis requires a delicate blend of creativity and analytical thinking. 

There are three steps to creating a good hypothesis:

  1. Come up with a topic: To create a good hypothesis, start by identifying a specific area of concern. This is not yet a hypothesis; we refer to it as a hunting topic. Draw on your understanding of the threat landscape, recent incidents, and emerging trends to pinpoint potential risks inside your network. Maybe research some of the priority threat actors targeting your industry to find key behaviors that your automated detection systems could use a little help with. However you go about it, the first step is to figure out what type of activity you want to look for.
  2. Make it testable: Once you figure out what you’d like to look for, state it as a testable hypothesis (i.e., one that you can either prove or disprove). Assume, for example, that your hunt topic is “data exfiltration.” Hypotheses must be testable, and looking for all possible types of exfiltration probably isn’t feasible, so we’ll restate it using a specific type of exfiltration: "A threat actor may be exfiltrating sensitive data using DNS tunneling." 
  3. Refine as necessary: By itself, this is a perfectly fine hypothesis, but large organizations might still consider this to be somewhat untestable. Let’s further refine this to: "A threat actor may be exfiltrating sensitive financial data using DNS tunneling." This hypothesis is testable because we know what kind of data exfiltration we’re looking for and what type of data it might involve. We’ve narrowed things down from “any kind of data, exfiltrated by any means” to something that’s actually huntable.

Hypothesis generation can be tricky, especially at first. If you get stuck, this paper on crafting hypotheses or this one on identifying priority targets can give you some ideas on where to start.

One more important note: just like in science, a hypothesis isn't set in stone – be prepared to adapt and refine it again as new insights emerge during your investigation. More on this below!

Are You ABLE to Hunt?

Even though you now have a clear and testable hypothesis, you still need to know a few things before you can start hunting, such as possible indicators of the activity, data source(s) you need to examine, and in which parts of the network you might expect to observe it. 

PEAK incorporates the ABLE framework to help you capture the critical pieces of your hunting hypothesis:

  • Actor: The threat actor, or sometimes the general type of threat actor, you are looking for. Many things are not tied to a specific actor, so you won’t always need to specify this part, but if you do, it can supply valuable context to help with the rest of your hunt.
  • Behavior: The specific activity you’re trying to find, sometimes called TTPs (Tactics, Techniques, and Procedures). Instead of hunting for an entire Kill Chain’s worth of behavior, focus on one or two pieces at a time. 
  • Location: The part(s) of your organization’s network where you would expect to find the behavior (e.g., end-user desktops or Internet-facing web servers). A proper location helps narrow the scope of your hunt, making it easier and more efficient.
  • Evidence: A combination of which data source(s) you’d need to consult to find the activity and what it would look like if the activity were present. You’ll need to know these when planning your data collection as well as when creating your analysis strategy.

Example: Using ABLE to hunt DNS Exfiltration

An example might help make this more clear. Let’s revisit our example hypothesis: "A threat actor may be exfiltrating sensitive financial data using DNS tunneling." We can break this down using the ABLE framework:

  • Actor: In this case, we're not dealing with a specific threat actor. Financial data would be appealing to a lot of cybercriminals. If, for example, we were concerned that PIFFLING PANGOLIN might be stealing our data, knowing more about the actor might provide us clues to aid in our hunt, such as known C2 domains or specific tools they use for DNS tunnels. But in this case, we don’t have a particular actor, or even type of actor, and that’s fine.
  • Behavior: The behavior we're hunting for is data exfiltration through DNS tunneling. By focusing on this specific tactic, we can narrow down our investigation and concentrate on identifying relevant indicators of compromise.
  • Location: Our hypothesis suggests that the finance department is being targeted. This helps us pinpoint the area of the network that we need to scrutinize, making our hunt more efficient and effective.
  • Evidence: To detect DNS tunneling, we'll need to examine DNS query logs or full passive DNS logs, if you have them. Knowing this, we can develop an analysis strategy that involves looking for unusually large or frequent DNS queries, odd DNS query types, or indicators of known DNS tunneling tools.

With the ABLE framework applied to our hunting hypothesis, we’re beginning to see the outline of an actionable hunt plan: 

  • Gather DNS logs for hosts associated with the finance department (user desktops and servers hosting financial applications). 
  • Look for unusually large queries or responses since those are typical indicators of DNS tunneling. 
  • Identify the DNS record types associated with “normal” traffic and then investigate any queries involving unusual record types. 
  • Research some of the existing DNS tunneling tools and look for their unique network artifacts (hello, Pyramid of Pain!). 

Hypothesis-Driven Hunting with PEAK

With our trusty hypothesis in hand and having applied the ABLE framework, we’re ready to proceed through the three phases of the hunt: Prepare, Execute, and Act. Each phase plays a crucial role in unraveling the mysteries hidden in the depths of your network, guiding you from the initial planning stages to the final act of sharing your hard-earned findings. Let’s take a look at each phase in detail.

The PEAK Hypothesis-Driven Hunting Process

Phase 1. Prepare: Setting the Stage for Your Hunt

The “Prepare” phase is where you do all the things necessary to maximize your chances of a successful hunt. If you’ve read through the article this far, you’ve already started preparing! 

Select Topic: The first step is to choose a juicy topic that piques your interest. It’s not a full hypothesis yet but will be used to develop one. For example, our sample topic was “data exfiltration.”

Research Topic: With your topic in hand, it's time to hit the books (or the internet, rather). Gather all the information you can to become a subject-matter expert. Knowledge is power (or if you prefer, “knowing is half the battle!”). Continuing with the DNS example above, you might:

  • Learn about typical data exfiltration mechanisms and tools. 
  • Find out how your organization already detects exfiltration and what detection gaps you might have. 
  • Perhaps someone has even published a sample hunt that you could adapt to give you a head start. 
  • If you have a specific threat actor in mind, maybe find out their preferred techniques or tools (your CTI team or intel vendor would be a good resource here).

Generate Hypothesis: Based on your research, craft a hypothesis about the potential threats and their activities in your organization's network. Make sure it’s something testable, such that it’s actually possible for you to either confirm or refute while hunting. Our sample hypothesis is “A threat actor may be exfiltrating sensitive financial data using DNS tunneling.”

Scope Hunt: Define the boundaries of your investigation by identifying the systems, data, and timeframes to examine. You may also want to consider setting a maximum hunt duration (e.g., “I’ll hunt this for three days and if I don’t find anything malicious, it’s probably not happening”). The ABLE “Location” and “Evidence” are key pieces of the hunt’s scope. 

Plan: Using what you learned from your research as well as the ABLE data, outline the tools, techniques, and resources you'll need to validate your hypothesis. How exactly will you gather the data you need? Which analytic techniques will you use to find the activity you’re searching for? If you have a hunt team (as opposed to an individual hunter), who’s doing which part(s) of the hunt? Making a good plan helps to ensure the execution (the next phase) goes smoothly, so it’s worth spending a little time here.

Phase 2. Execute: Rooting Out the Bad Guys

The “Execute” phase is where you implement your hunt plan. Although some would consider this where the “real hunting” happens, it’s important to understand that a hunt cannot be successful and impactful without all three phases. It’s all real!

Gather Data: With your plan in place, it's time to collect the evidence and bring it all back into one place for analysis. In some cases, this may have already happened (for example, if you’re already ingesting the DNS logs you need into a Splunk index). In other cases, you might have to identify the specific server(s) and locations on disk from which to collect the data. 

Pre-Process Data: Sadly, the data we need isn’t always quite ready for analysis, especially if we had to collect it ourselves. We might need to: 

  • Convert it to a different format (e.g., JSON to CSV)
  • Normalize equivalent logs from two different solutions into a common schema
  • Throw out records with missing or nonsensical values. 

Making sure that our data is clean and consistent will make the analysis much easier!

Analyze: Now it’s time to dive into the data to look for patterns, anomalies, or evidence that supports or refutes your hypothesis. This is where your intuition and analytical skills truly shine. There are many options when it comes to analytic techniques, including least/most frequency of occurrence, clustering, and visualization. 

We’ll have more to say about specific analytic techniques in future blogs, but for now, just know that most threat hunters pick up new analytic techniques the way mechanics accumulate wrenches. The more hunting you do, the bigger your toolbox will grow and the better you’ll be at picking the right technique for the job.

Refine Hypothesis: When your analysis reveals new insights or fails to find what you were looking for, don't hesitate to revise. This is a normal and expected part of threat hunting. We don’t always hit the mark the first time, so one or more rounds of hypothesis refinement will often be necessary. 

Escalate Critical Findings: Should you be lucky enough to find likely or confirmed malicious activity during your hunt, escalate it immediately to the incident response team for swift action. After all, time is of the essence in the world of cybersecurity.

Phase 3. Act: Wrapping Up the Investigation

All the detailed planning and expert execution won’t matter a whit if you can’t capture and act on the knowledge gained from your hunt. That’s what the “Act” phase is all about! 

Preserve Hunt: Don't let your hard work go to waste. Archive your hunt, including the data, tools, and techniques used, for future reference or to share with other cyber sleuths. Many hunt teams use wiki pages to write up each hunt, including links to the data, descriptions of the analysis process, and summaries of key findings or metrics. 

It is quite common for hunters to refer to past hunts when confronted with similar hunts later on, so do future-you a favor and take some time to save your work for posterity.

Document Findings: Write up a detailed report on your findings, including whether you validated or disproved your hypothesis, data or detection gaps you found, misconfigurations you identified, and of course, any potential incidents you escalated. This is the “so what?” of your entire hunt. These findings, and the actions your security team takes to address them, are one of the key drivers for continuous improvement of your organization’s security posture.

Create Detections: Convert your findings into production detection rules or signatures to help catch similar threats in the future. Or, send your detailed findings to the detection engineers if that’s how your organization rolls. Either way, using hunts to improve automated detection is the other key driver behind continuous improvement of your security posture. 

Re-Add Topic to Backlog: As hunters, we’ll often uncover new avenues for exploration while we’re already in the midst of a hunt. Stay focused, but take note of those potential new ideas because they can become new topics or hypotheses for future hunting! If your team keeps a slush pile or backlog of potential hunts (and they should!), add them so you can revisit them later.

Communicate Findings: To keep up the detective metaphor, this would be the equivalent of Hercule Poirot gathering everyone in the drawing room for the big reveal. Share your discoveries with relevant stakeholders to improve overall security posture. Maybe the findings for each hunt are emailed to the SOC leadership and the owners of the systems/data involved. Perhaps you hold a hunt briefing for the security team once a month. Find the communication format that works best for your team as well as your stakeholders. After all, knowledge is most powerful when shared.

Conclusion

Hypothesis-driven threat hunting is an effective and engaging approach that combines human intuition, creativity, and analytical skills to bolster your organization's network security. 

By generating a solid hunting hypothesis and applying ABLE to break it down into an actionable hunting plan, you establish a strong foundation for a successful hunt. The PEAK framework's Prepare, Execute, and Act phases guide you through the process, ensuring a well-structured, focused, and effective hunt. Embrace the power of hypothesis-driven hunting and embark on a journey to protect your organization's digital assets more effectively. 

Happy hunting!

David Bianco
Posted by

David Bianco

David is a member of Splunk's SURGe team, where he conducts research in incident detection and response, threat hunting, and Cyber Threat Intelligence (CTI). He is also a SANS Certified Instructor, where he teaches FOR572 Network Forensics and Threat Hunting.

TAGS
SURGe
Show All Tags
Show Less Tags