Threat Hunting Hypothesis
Threat hunting is a proactive cybersecurity approach that focuses on actively searching for signs of malicious activities or potential security threats within an organization's network or systems. It goes beyond traditional cybersecurity practices that rely primarily on automated security tools and threat detection systems. Threat hunting involves human-driven analysis and investigation to identify threats that might otherwise go undetected.
A hypothesis is an educated guess or a proposed explanation for a phenomenon that can be tested and verified. In threat hunting, a hypothesis is a proposed explanation for an observed behavior that may be indicative of malicious activity. The ability to create effective hypotheses is a key component of successful threat hunting, as it helps hunters to focus their efforts and identify the most critical threats to the organization.
40 THREAT HUNTING HYPOTHESIS EXAMPLES
The attacker is exfiltrating data from our network through a specific port that has seen an increase in traffic in the past week.
The adversary is using a certain type of malware to compromise our systems and is using a specific command and control server to communicate with the infected systems
The insider is intentionally leaking sensitive information to a competitor based on a pattern of access to certain files and communication with the competitor’s employees.
group of attackers is attempting to gain access to our network through vulnerable remote access protocols.
The attacker is using a specific type of exploit to gain access to our systems and is using a particular tool to move laterally within our network.
The adversary is attempting to gain access to our systems through a zero-day vulnerability that has not yet been patched.
group of attackers is using a specific type of malware to mine cryptocurrency on our systems.
The adversary is using a certain type of ransomware to compromise our systems and is targeting a specific group of employees with the ransom demands.
The attacker is using a particular type of denial of service attack to disrupt our systems and is targeting a specific group of users.
A new strain of malware is being distributed through email attachments
A group of compromised devices are communicating with a known Command and Control server.
The adversary is attempting to escalate privileges on targeted systems.
The insider threat is attempting to access and steal sensitive data.
The adversary is using a specific type of encryption to evade detection.
specific user account has been the source of multiple network intrusions.
increase in the number of failed login attempts suggests a brute force attack.
Unusual outbound network traffic could indicate data exfiltration.
sudden drop in system performance could indicate malware activity.
increase in the number of newly created user accounts could suggest a breach.
Unexplained changes to system or user permissions could indicate malicious activity.
increase in the number of error messages could indicate a cyber attack.
Unusually large file transfers could suggest data exfiltration.
adversary is using a specific spearphishing technique to gain initial access.
botnet is being used to attack our infrastructure.
misconfiguration in a cloud service is being exploited.
specific user account is being targeted for privilege escalation.
The threat actor is using a new technique for evading detection.
There are unusual patterns in user login times, especially outside of typical business hours
there are new or unexpected service accounts in the network
There Have been unauthorized changes to critical system files or configurations
increase in suspicious PowerShell or scripting activity on endpoints
unauthorized changes to firewall or access control rules
unauthorized changes to Active Directory Group Policy
unusual patterns in system or application logs
changes to DNS records that could indicate domain hijacking
unauthorized database queries or data extraction
signs of unauthorized or suspicious USB device connections
unusual login activities from geographically distant locations
indications of malware persistence techniques, such as registry changes
signs of privilege escalation attempts
By providing organizations and hunters with a starting point, a list of threat hunting hypothesis examples can help to overcome the challenge of hypothesis creation and improve threat hunting efforts.
Last updated