Replies: 1 comment 2 replies
-
|
A very useful thought and an interesting question. This makes me to think about something: when a hunter has a library of huntbooks, each of which hunts against a specific hypothesis/APT, could a system partially evaluate each huntbook to see how likely one of them matches the observed data in the select organization? If this is the vision, I think the most challenging parts currently are:
|
Beta Was this translation helpful? Give feedback.
-
|
What if the library of hunt books is aligned with the TTP numbering system in the ATT&CK Framework? Then threat analysts and defenders can easily identify them with a cataloging system they are already familiar with. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I assume they are. More precisely, each huntbook is supposed to be tagged with a hypothesis/APT/threat-actor. TTP is a smaller unit. A hypothesis or APT is usually composed of multiple or tens of TTPs. Each hunt step in a huntbook could be tagged with a TTP like what we demonstrated in the first huntbook of BlackHat 22: https://mybinder.org/v2/gh/opencybersecurityalliance/black-hat-us-2022/HEAD?filepath=demo (recording of the full session) |
Beta Was this translation helpful? Give feedback.
-
Another tradecraft element that is in regular use by cyber threat analysts is the Analysis of Competing Hypotheses (ACH) methodology that was originally developed by Richards Heuer (Heuer, Richards J., Jr, "Chapter 8: Analysis of Competing Hypotheses", Psychology of Intelligence Analysis, Center for the Study of Intelligence, Central Intelligence Agency, archived from the original on June 13, 2007). I pose this question to the community: Is there a way to develop an easy user interface that links to a TIP and a set of Actuator Profiles, like the Hunt Profile, that could help analysts work through the steps of the ACH process?
Beta Was this translation helpful? Give feedback.
All reactions