Developing Hypotheses

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Hello and welcome to Module 2,
00:00
developing hypotheses and abstract analytics.
00:00
This module will cover
00:00
Step 2 of the threat hunting methodology.
00:00
In it, we will develop and refine hypotheses and
00:00
abstract analytics to explore hunting for
00:00
evidence that indicates
00:00
some malicious actor may be present.
00:00
We will also discuss the purpose of and
00:00
how to formulate abstract analytics,
00:00
as well as how to leverage
00:00
external resources to help with this effort.
00:00
During this step in the methodology,
00:00
we will use TTP insights to develop
00:00
hypotheses that we can test during our hunt,
00:00
in order to make claims about
00:00
malicious activity in an environment.
00:00
The hypotheses developed in this step
00:00
will guide our data collection requirements,
00:00
analytic development, and future hunting operations.
00:00
Later on in the methodology,
00:00
we'll use the collected data and
00:00
concrete analytics to test these hypotheses.
00:00
Hello and welcome to Lesson 2.1, developing hypotheses.
00:00
In this lesson, we will describe the purpose of,
00:00
and characteristics of a well-formed hypothesis.
00:00
What is a hypothesis?
00:00
The Oxford Dictionary defines a hypothesis as,
00:00
a supposition or proposed explanation made on
00:00
the basis of limited evidence as
00:00
a starting point for further investigation.
00:00
In other words, a hypothesis describes
00:00
unproven but suspected ideas
00:00
about why something may be happening.
00:00
A good hypothesis needs to meet certain criteria,
00:00
the first of which is being specific enough to be useful.
00:00
A hypothesis that is too vague doesn't help
00:00
focus the problem enough to be adequately answerable.
00:00
For example, scoping what data
00:00
to collect and what time frame to cover,
00:00
amongst many other factors.
00:00
Being more specific helps to hone in on
00:00
a more focused statement to drive research,
00:00
analysis, and data collection.
00:00
A good hypothesis should also be evidence-driven.
00:00
Throughout the process of crafting a hypothesis,
00:00
you should use as much evidence as possible,
00:00
such as existing techniques and
00:00
knowledge of adversary behavior and TTPs,
00:00
as well as findings from your own research
00:00
in hands-on investigation.
00:00
Evidence should also drive hypothesis refinement to
00:00
account for nuances not
00:00
captured during initial development.
00:00
Your hypothesis should be framed in a way
00:00
that can be tested to gain additional evidence.
00:00
Here it is important to think about what type of
00:00
evidence would support your initial claim,
00:00
as well as what evidence would refute it.
00:00
Finally, a good scientific hypothesis
00:00
should be falsifiable,
00:00
meaning it is able to be disproven through testing.
00:00
An example that is not falsifiable would be,
00:00
a malicious actor will use extreme stealth to operate
00:00
in a way that will be indistinguishable
00:00
from benign usage.
00:00
Given the way the statement is written,
00:00
there would be no evidence to
00:00
examine if it were in fact correct,
00:00
and thus it cannot be proven false.
00:00
Why should we care about taking the time to
00:00
create hypothesis while threat hunting?
00:00
Well, a good hypothesis helps
00:00
clarify your thinking about what you're looking for.
00:00
It also helps you reason about behavior in
00:00
a natural way without getting
00:00
bogged down in query syntax,
00:00
and helps to bridge narrative information
00:00
about behavior to concrete analytics.
00:00
A good hypothesis will provide focus
00:00
for research, data collection,
00:00
and analytic development that allows for
00:00
a deeper understanding of what an analytic does,
00:00
what it means when an alert fires,
00:00
and what can trigger false positives.
00:00
Hypothesis creation is truly an iterative process that
00:00
allows for continual updating
00:00
and refinement based on evidence.
00:00
During this process,
00:00
thinking through and evaluating
00:00
the statements' falsifiability helps to
00:00
expose potential false alarm scenarios
00:00
that were not captured during initial development.
00:00
These types of scenarios help to
00:00
capture those nuances and drive
00:00
hypothesis refinement in a way
00:00
that focuses on malicious usage.
00:00
At this stage in the methodology,
00:00
a hypothesis should be written in
00:00
plain human understandable language,
00:00
as it helps facilitate reasoning and understanding in
00:00
an abstract way that avoids
00:00
the constraints of any specific query syntax.
00:00
It also allows for sharing of thoughts
00:00
and ideas and allows
00:00
for hypothesis to endure
00:00
across changes in implementation,
00:00
such as query language or platform.
00:00
To begin this process, start
00:00
by choosing a behavior and develop
00:00
a hypothesis around what evidence would
00:00
indicate that a malicious actor
00:00
is exhibiting this behavior.
00:00
Now let's walk through some examples.
00:00
In this first example,
00:00
we observe that burglars sometimes enter
00:00
homes by kicking open locked doors to steal property.
00:00
This may lead us to develop the hypothesis,
00:00
if the door opens,
00:00
a burglar is breaking in.
00:00
As we can see, this hypothesis is much too
00:00
vague as it leaves lots of room for false positives.
00:00
For example, if the homeowner enters,
00:00
they may also open the door.
00:00
A better hypothesis would be,
00:00
if the door opens while still locked,
00:00
a burglar is breaking in.
00:00
This statement is more specific as it incorporates
00:00
key elements of the malicious technique
00:00
of kicking open locked doors.
00:00
It's important to note that gathering
00:00
the evidence to either support or refute this claim
00:00
will require continuous sensing to
00:00
determine if the door is open and if it is locked.
00:00
This statement is also
00:00
falsifiable and that evidence can be
00:00
collected to show non-malicious opening
00:00
of the door without it being unlocked.
00:00
For example, emergency personnel,
00:00
such as a firefighter,
00:00
may open the door without
00:00
unlocking it in response to a fire alarm.
00:00
We would need to think through
00:00
some more benign scenarios such as that one,
00:00
and try to address it in future iterations.
00:00
Going into our last iteration,
00:00
we have refined our hypothesis to read,
00:00
if the door opens while locked,
00:00
but no 911 call has been
00:00
made and no fire alarm is active,
00:00
then a burglar is breaking in.
00:00
This statement is still specific and attempts to
00:00
address the nuances that we previously identified.
00:00
It is also still falsifiable as
00:00
evidence can still be generated to disprove the claim,
00:00
such as someone calling 911
00:00
while a burglar is in fact still breaking in.
00:00
This statement, however, is much less
00:00
likely to be false compared to earlier statements.
00:00
Now to move on to a cyber-related example,
00:00
we have observed that adversaries maintain
00:00
persistence on a compromised host by scheduling tasks.
00:00
For example, setting up malicious software
00:00
to run at startup or some other specified time.
00:00
We begin with the hypothesis that if a task is
00:00
scheduled an adversary is establishing persistence.
00:00
This statement is somewhat specific in that
00:00
it incorporates key elements of the behavior,
00:00
for example, scheduling tasks.
00:00
Although it will also require
00:00
continuous monitoring to determine if a task is being,
00:00
or has been scheduled.
00:00
It is also falsifiable and
00:00
that evidence can be obtained in benign task scheduling,
00:00
such as by a system administrator.
00:00
A refined hypothesis that takes
00:00
this fact into account is,
00:00
if a task is scheduled by a non-admin user,
00:00
an adversary is establishing persistence.
00:00
Again, the statement is still falsifiable,
00:00
but less likely to be false than the previous one.
00:00
It also will not catch instances of
00:00
a malicious task being scheduled by an administrator,
00:00
which may be acceptable at this point,
00:00
but a weakness of the hypothesis
00:00
to keep in mind as we move forward.
00:00
In summary, a solid hypothesis should be specific,
00:00
evidence-driven, and falsifiable.
00:00
It is important to have
00:00
a strong hypothesis as it
00:00
will guide the rest of your research.
Up Next