In my first post I went over some threat hunting models. For the R&D hunts, I mentioned that it would require every hunt to be cataloged. Then I started to try to create the outcome document from an R&D Hunt to share it with everyone and ran into a terminology roadblock of my own making.
I couldn't seem to make progress on outlining the expected outcome from R&D Hunts, at least not in a concise way that would be easy for my team and my leadership to comprehend. So, I decided to use writing a post to walk myself through the process and the terminology.
Campaigns & Hunts
Description: Two or more hunts with a common objective
Outcome: A strategic product consolidating the findings from all hunts
Description: 1 or more hunt techniques with a common objective
Outcome: A report containing actionable findings
Description: A hypothesis applied to a specific domain, for a specific datasource, using a specific tactic
Outcome: Unit of work for a hunter
For me, the hunting technique is what the hunter does to test the hypothesis and with a favorable outcome it becomes a skill in her toolbox.
The hunting analytics are what need to be cataloged for a scalable hunt program, so that is why I was getting so stuck trying to come up with the documentation after an R&D Hunt, its documenting the hunting analytic itself.
Now I was able to dive into what type of metadata I wanted to store with each hunting analytic.
The Deep Dive
The hunting analytic is the way to describe and therefore document what a hunter does. On the right side of the image I have what I consider the main attributes of the technique and over on the left I have additional metadata that, while isn't required, I could see being useful when building out the playbook or catalog.
I have created a spreadsheet that smaller organizations or individual hunters could use to track their work, but larger organizations will likely need a database. I have yet to use the tracker, so I am sure some modifications are needed so please feel free to share ideas or mods you made in the comments, or if the tracker was just a waste of time.
My DBA days were rooted in relational databases, but this seemed like a good candidate for me to try out a document-oriented database, MongoDB, for the larger organizations. I will create another post specifically about this endeavor because its just going to take me a little longer, but progress will be in my GitHub. If you are interested collaborating on the HT Trackr, let's do it.