CARVE: A Scientific Method-Based Threat Hunting Hypothesis Development Model

摘要

A threat hunting exercise is a hypothesis driven exploratory and explanatory research process, the exercise is inherently scientific in nature and lends itself to the application of the scientific method of hypothesis development. The exercise commences with exploratory steps in the threat hypothesis phase to develop a logical argument asserting an existential threat, then follows with explanatory steps in the threat hunt phase to validate the argument. To deem a threat credible, that is, valid and relevant, a threat hunting hypothesis must establish a correlational and causal relationship between the asserted threat and a targeted asset, the hypothesis must adhere to the constructs of the scientific method for the exercise to be defined and measured objectively, and yield valuable and repeatable outcomes. Lack of adherence to the scientific method increases the frequency of invalid and/or irrelevant propositions in threat hypotheses, which diminishes Return on Investment (ROI) in cybersecurity defensive efforts due to wasted cycles of threat hunting exercises. This paper proposes a scientific method-based model, Collect Analyze Relate Validate Establish (CARVE), which can be used to develop valid and relevant threat hunting hypotheses in the context of a given organization's information system and environment. The CARVE model is defined by the following five steps: Collect, Analyze, Relate, Validate, and Establish. The effectiveness of the model is demonstrated using a case study based on the technical alert United States Computer Emergency Readiness Team (US CERT) TA17-293A.