Hypotheses Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 22 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hello, and welcome to Lesson 2.2,
00:00
hypothesis considerations.
00:00
In this lesson, we will discuss
00:00
how bias can occur in threat hunting,
00:00
as well as how to recognize it.
00:00
Will also discuss considerations for choosing
00:00
an attack technique on which to focus your hypothesis.
00:00
If you've already taken the miter attack defenders
00:00
cyber threat intelligence course.
00:00
Then you'll recall that it
00:00
discusses cognitive biases, namely,
00:00
the bias present in the threat intelligence itself,
00:00
as well as bias that we as users can introduce.
00:00
While there are dozens of known types
00:00
of cognitive biases,
00:00
our goal in this section is not to memorize them all,
00:00
but to go through some examples to keep in mind as we
00:00
discuss ways to deal with bias
00:00
in order to minimize its impact.
00:00
In threat intelligence reporting
00:00
and even in models such as attack,
00:00
inherent biases can be present and it
00:00
is important to be aware of
00:00
how they may present themselves.
00:00
One example is visibility bias,
00:00
which occurs when the threat intelligence
00:00
produced by an organization is
00:00
only focused on the subset of
00:00
adversarial activity that they can detect,
00:00
which may give a false impression of
00:00
the full scope of the attack or activity.
00:00
Other examples of bias that can occur are victim bias.
00:00
Where reports tend to focus on
00:00
more high-profile victims and can be
00:00
skewed based on what they actually allowed to be
00:00
published as well as novelty bias.
00:00
Where, for example,
00:00
a flashy new adversary group may receive
00:00
war coverage and attention than a longstanding one.
00:00
There are also several ways that bias can
00:00
be introduced by the defender of themselves.
00:00
As an example, availability bias can be
00:00
introduced by a threat hunter who is relying only on
00:00
the data that they currently have access
00:00
to in order to prioritize
00:00
techniques or narrowly focusing on
00:00
adversarial behaviors and techniques
00:00
that they are already familiar with,
00:00
which could give a false sense of
00:00
the importance or urgency of the threat at hand.
00:00
Another example is anchoring bias,
00:00
which can cause the defender to lose out on a lot of
00:00
useful information provided by other data sources,
00:00
because they're solely focusing on those
00:00
that have already been discussed or reported on.
00:00
There are many more types of
00:00
bias that can occur in this environment.
00:00
I would encourage you to continue to learn about them,
00:00
and how they could apply it to threat hunting.
00:00
As threat hunters, we need to
00:00
understand when we are making assumptions,
00:00
explicitly document and share
00:00
them with our team to validate them,
00:00
and revisit them throughout
00:00
our analytic development process.
00:00
This is especially important when
00:00
determining what activity to hunt for.
00:00
For generating hypotheses be specific about
00:00
what you actually know from
00:00
threat intelligence, what you're inferring,
00:00
why he chose a particular hypothesis,
00:00
what other hypotheses you discarded or deprioritize,
00:00
and what you believe about
00:00
the environment you are defending.
00:00
When choosing a technique,
00:00
there are many things to consider,
00:00
but what it essentially boils down
00:00
to is getting a good return on your investment.
00:00
We advise you to focus analytic efforts
00:00
first on techniques that aren't already covered,
00:00
commonly used by adversaries,
00:00
or would create a big impact if
00:00
successfully used on your systems.
00:00
Also select techniques that
00:00
capitalize on existing data collection,
00:00
documentation, or analytics.
00:00
All that you anticipate will be relatively easy to
00:00
implement and not trigger
00:00
a too many false alarms in your system.
00:00
For example, techniques that
00:00
typical users and system administrators don't employ.
00:00
You'll have to think through and
00:00
find a good balance between
00:00
these characteristics to determine
00:00
how to best focus your efforts.
00:00
Once you've chosen a technique,
00:00
consider the following questions as
00:00
you prepare to conduct your research.
00:00
Keep in mind that you aren't alone in this work.
00:00
Many security researchers have investigated
00:00
techniques and publish their findings and ideas.
00:00
Read up on what others have done,
00:00
so you don't end up doing redundant work.
00:00
Check for any other existing analytics, mitigations,
00:00
or other defensive ideas
00:00
online associated with this behavior.
00:00
Attack, car, sigma, the threat hunters playbook,
00:00
and countless others are freely
00:00
available and often contain
00:00
excellent information and specific analytics
00:00
and mitigations for these malicious behaviors.
00:00
Searching those firsts can
00:00
help save you a lot of time and
00:00
effort and may help highlight
00:00
a gap that you can focus your time on.
00:00
Engaging with the community on your ideas
00:00
is also a great way to help improve your work.
00:00
If you've discovered something new,
00:00
you can share with others.
00:00
If there's a flaw with the approach,
00:00
engagement can help uncover it
00:00
early and save the trouble down the road.
00:00
In this course, we focus on
00:00
a single technique at a time for simplicity.
00:00
You should consider if there are precursor,
00:00
follow-on, or correlated
00:00
techniques to the one you're investigating.
00:00
Think about grouping them together
00:00
during your analytic approach.
00:00
There may be two techniques that in
00:00
isolation have a high false alarm rate,
00:00
but when seeing together,
00:00
more likely indicate malicious activity.
00:00
The converse may also be true.
00:00
In both cases, grouping-related techniques
00:00
can help with precision and recall.
00:00
In addition to techniques that's an adversary may
00:00
use in conjunction with each other.
00:00
It's also worth examining other means
00:00
through which an adversary can accomplish their goal.
00:00
In other words, their plan B.
00:00
What other techniques exist in the same tactic?
00:00
Another key item at this point is to
00:00
define the scope of the behavior we want to examine,
00:00
which we can do in the context
00:00
of factors we'd like to support,
00:00
such as platforms, implementations, and functionality.
00:00
Limiting your scope to one or more platforms will
00:00
help to focus our research towards relevant systems,
00:00
which should be dictated by the environmental terrain.
00:00
Scoping based on implementation method
00:00
is also useful at this stage.
00:00
As we may, for example,
00:00
wished to exclude invocations that rely on
00:00
deprecated commands or other methods
00:00
not relevant to our systems.
00:00
Finally, intended functionality is
00:00
also good scoping factor at this point,
00:00
as it can help determine what types of behavior
00:00
to include or exclude in your research.
00:00
For example, whether or not to support remote execution.
00:00
As you continue in this process,
00:00
you may have to revisit this step and
00:00
narrow or expand your scope as needed in
00:00
order to ensure you're finding the correct behaviors that
00:00
cover the full range of
00:00
the technique in accordance with your terrain.
00:00
To summarize, it's important to be aware of biases when
00:00
developing hypotheses and while
00:00
you're conducting your research.
00:00
Technique choice and hypothesis scoping
00:00
are also important aspects
00:00
of this process that will help set you
00:00
up for success later on down the road.
Up Next