A threat hunt hypothesis is a supposition or proposed explanation made on the basis of limited evidence from a security environment, and this proposed explanation is then used as a starting point for further investigation. A threat hunt hypothesis, much like a scientific hypothesis, is a statement of an idea or explanation to test against data, as seen in the following example:
Hypothesis: A threat actor can use bitasdmin.exe to download a file to an endpoint on the organization’s network.
The hunt hypothesis can be generated from a number of sources. These include but are not limited to new zero-day vulnerabilities, threat actor research, threat intelligence, security control gaps, incident reports, and many more sources. Regardless of the source, the foundations of a good hypothesis are Relevance and Testability:
Relevance – How does the hypothesis relate to organizational needs, current industry trends, and available data sources?
Testability – The data and tools available that may provide some chance of finding what is being sought within the hypothesis.
Looking for more information on Threat Hunting? Take a deep dive into Threat Hunting and a TTP-based hunt example with deepwatcher Adam Schmitz in his blog article: Threat Hunting in Splunk.↑