Which of the following best describes the role of a hypothesis in threat hunting?
Think about how hunters decide what to look for before searching.
A hypothesis in threat hunting is a testable statement formed from observed data or intelligence. It guides the investigation by focusing on what to look for.
Which data source is most commonly used for detecting lateral movement within a network during threat hunting?
Consider where you can see what programs are running on computers.
Endpoint process execution logs show what programs run on devices and can reveal suspicious lateral movement activities.
Which technique is best suited for discovering unknown threats that do not match existing signatures?
Think about how to find threats that look different from normal behavior.
Anomaly detection compares current behavior to a baseline of normal activity to find unusual patterns, helping discover unknown threats.
Which statement correctly compares proactive and reactive threat hunting?
Consider when each hunting approach starts the investigation.
Proactive hunting starts with hypotheses and searches for threats before alerts occur. Reactive hunting investigates after alerts or incidents.
After conducting a threat hunt, a team finds no evidence of compromise but notices unusual spikes in network traffic at odd hours. What is the best next step?
Think about how to handle suspicious but unclear findings.
Unusual traffic spikes may indicate hidden threats or misconfigurations. Investigating further helps ensure no threats are missed.