Full Report
This is the first part of a threat hunting blog series I want to start. I plan to share some insights on several related ideas such as risk hunting, incident-based hunting, and leveraging a system similar to requests for intelligence (RFIs) in cyber threat intelligence (CTI) but for threat hunting. These ideas and concepts came to me from creating and running a professional threat hunting program over the course of more than two years, from early 2022 to mid 2024. In this blog are many of the lessons I have learned in my time venturing on this journey. If you are just looking for some threat hunting resources in general, please find this collection on my GitHub I’ve compiled and were helpful to me during my journey. Introduction If you are like myself and have been generating and disseminating cyber threat intelligence (CTI) for many years, it may be an obvious choice to transition into a role whereby you consume and leverage it. Threat Hunting is an activity that experienced CTI analysts are likely to be particularly good at due to acquiring deep knowledge of adversary tactics, techniques, and procedures (TTPs), as well as their motivations and the decisions they make during their intrusions. Put simply, the goal of threat hunting is to look for evidence of bad guys in an organisation’s environment. However, during this process of looking for evidence of bad guy activities, you will inevitably come across risky behaviour instead of actual signs of an advanced persistent threat (APT) actor or one of the stealthier ransomware gangs. Scoping Out Threat Hunting From my discussions with the Curated Intel community, the widely accepted description of a Threat Hunter in an Information Security Team is that they proactively seek out and investigate potential threats within an organisation. They can use a combination of manual and automated techniques to look for adversaries that have managed to evade security tooling. The main purpose of a Threat Hunter or Threat Hunting Team is to prevent security incidents before it causes damage, reputational harm, or disruption to the organisation they are responsible for. Beginning Your First Threat Hunt The first thing to take note of is that threat hunts can begin in a number of ways. The main two triggers for starting a proactive threat hunt involve intelligence-based threat hunting and hypothesis-based threat hunting. These two triggers are widely accepted and talked about in various articles, academic and commercial. In-house infosec teams, however, are often asked to perform a type of reactive threat hunt related to an incident at their organisation. Intelligence-based Threat Hunting: The Hunter receives intelligence about the latest threat actor activities targeting the same industry their organisations is from or a certain information technology product their organisation uses. They then decide to see if that activity has taken place in their environment. Hypothesis-based Threat Hunting: The Hunter hypothesizes that a certain type of activity that may be more likely to take place in their organisation’s environment based their knowledge of what systems or products it has. They then decide to look for signs of activities they anticipate based on their experience or research. Incident-based Threat Hunting: The Hunter is requested to participate in an incident response situation, such as a malware being detected on an endpoint or accounts created on an internet-facing networking device by an adversary at their organisation. They then decide to look for additional signs of related activity based on what was observed during the incident. Threat Hunting Outputs To be able to prove you accomplished something following a threat hunt, it is important to consider what outputs you are striving for. This includes any noteworthy discoveries or potential incidents you uncovered. Plus, any future hunt ideas you came up with while hunting, any risky behaviours you observed, any times you leveraged CTI during your hunt, or gaps in your protection coverage. It is important to capture these in your reporting methodology. During your threat hunts, such as leveraging behavioural detection rules against various log sources, you may not often actually find any signs of malicious activity. This is okay. It is not a failed hunt because you found nothing. As a hunter, you have validated that your protections are in place for that specific threat. This enables limited resources to be allocated elsewhere and will ultimately lead to improving the overall security posture of the organisation. Request For Hunt (RFH) If you work in CTI, you will be very familiar with the term request for intelligence (RFI), especially if you work on the vendor side. The same concept also still applies generally for in-house CTI teams at large companies with a global presence. Generally, in an RFI you will provide a product, which can range from a detailed report to simply an email or message response. At an in-house CTI team, instead of receiving RFIs from various clients at different companies like if you work for a vendor, you will receive RFIs from various individuals across different teams, such as the executive leadership team (ELT) or the security operations center (SOC), as well as non-Infosec focused teams in departments like a physical security team. However, another thing to consider with RFIs received by in-house CTI team is that it will likely include a question of “Are we impacted by this?” This is a reasonable question to ask by any member of an infosec team when they come across recent news that they think could affect the company they are responsible for keeping secure. This is where the new concept of a request for hunt (RFH) can be introduced. The thing to remember about threat hunting is that delegating the entire responsibility of deciding what to hunt for to the threat hunting team alone is likely going to lead to skewed results. One way to mitigate the threat hunting team’s biases and preferences (i.e. they hunt for the things they like to hunt for) can be RFHs from stakeholders. Other internal infosec teams (the stakeholders), such as a red team or physical security team may have their own ideas of what types of threats should be hunted for based on their observations of the architecture, nature and day-to-day running of the business. Just as prehistoric hunters out in the wild benefitted from others that specialise in different habitats, from jungles to mountains to savannahs. Differing perspectives are going to augment your understanding of anything and make you more effective at it.Please click here for part two.
Analysis Summary
# Best Practices: Establishing and Maturing Threat Hunting Programs
## Overview
These practices focus on structuring, initiating, and documenting a proactive security function dedicated to seeking out evidence of adversaries who have successfully bypassed existing security controls. They emphasize leveraging threat intelligence expertise to prevent incidents before they cause harm.
## Key Recommendations
### Immediate Actions
1. **Establish a Formal Request Mechanism:** Adopt a formal system similar to "Requests for Intelligence (RFIs)" specifically tailored for initiating threat hunts (Requests for Threat Hunts - RFHTs).
2. **Define Initial Hunt Triggers:** Ensure all inbound requests for threat hunting activities are immediately categorized as one of the following:
* **Intelligence-based:** Triggered by recent threat activity targeting the organization's industry or technology stack.
* **Hypothesis-based:** Triggered by internal knowledge of organizational assets suggesting likely attack vectors.
* **Incident-based:** Triggered by an observed security incident (e.g., malware detection, unauthorized account creation).
3. **Document Initial Hunt Outputs:** Define mandatory preliminary outputs for every hunt, regardless of findings (e.g., notable discoveries, potential incidents, identification of future hunt ideas, observed risky behaviors, identified coverage gaps).
### Short-term Improvements (1-3 months)
1. **Integrate CTI Expertise:** Leverage existing Cyber Threat Intelligence (CTI) analyst knowledge, as their deep understanding of adversary Tactics, Techniques, and Procedures (TTPs) is highly relevant for effective threat hunting.
2. **Standardize Hunt Methodology:** Document the process for executing intelligence-based and hypothesis-based hunts using manual and automated techniques to search for evasive adversaries.
3. **Mandate Control Validation Documentation:** When a hunt does not find malicious activity, formally document it as a successful validation that existing protections are effective against the specific threat modeled in the hunt.
### Long-term Strategy (3+ months)
1. **Develop Risk Hunting Capabilities:** Implement specialized 'risk hunting' activities alongside traditional threat hunting to proactively uncover risky behaviors within the environment, not just confirmed malicious activity.
2. **Formalize Reporting Cadence:** Institute a robust reporting methodology to consistently capture all defined threat hunting outputs, ensuring continuous improvement and demonstration of program value.
3. **Review Security Tooling Gaps:** Systematically use observations from threat hunts (both positive and negative findings) to identify and prioritize gaps in current security tooling coverage.
## Implementation Guidance
### For Small Organizations
- **Focus on Incident-Based Hunts Initially:** Prioritize leveraging the threat hunting function immediately following any security alert or incident (Incident-based hunting) to maximize quick wins and build internal justification.
- **Leverage External Intelligence:** Rely heavily on industry-specific threat intelligence feeds (intelligence-based hunting) to drive the limited proactive hunts since dedicated internal research time may be scarce.
### For Medium Organizations
- **Develop Hypothesis Generation:** Start formalizing the process where security engineers and analysts create testable hypotheses about likely attack paths based on deployed technologies.
- **Establish Basic Artifact Collection:** Ensure log sources and endpoint telemetry are consistently collected and available to support both manual investigation techniques and automated rule development.
### For Large Enterprises
- **Institutionalize RFI/RFHT Analogy:** Fully implement and manage the "Request for Threat Hunt" process, ensuring formal intake, prioritization, and tracking against defined Service Level Objectives (SLOs).
- **Embed CTI Analysts:** Formally integrate CTI analysts directly into the threat hunting team structure to maximize the application of adversary knowledge in proactive searches.
- **Scale Automated Hunting:** Mature the use of automated techniques (e.g., behavioral detection rules against diverse log sources) to search for TTPs at scale, balancing manual effort with automation.
## Configuration Examples
The provided context focuses on the *process* and *management* of threat hunting requests rather than specific technical configurations. Therefore, specific configuration examples cannot be extracted, but the concept of leveraging **behavioral detection rules against various log sources** should be prioritized for automation.
## Compliance Alignment
N/A - The article focuses on enhancing the operational capability of Threat Hunting, which supports security management frameworks rather than directly mapping to specific control compliance standards outlined in the prompt (NIST, ISO, CIS). However, effective threat hunting directly contributes to the **Detection** and **Respond** functions of frameworks like NIST CSF.
## Common Pitfalls to Avoid
- **Viewing hunts without positive findings as failures:** Do not penalize hunts that successfully validate existing defenses; these are crucial successes in control validation.
- **Lacking clear output expectations:** Starting a hunt without defining what successful, failed, or partially successful results look like will lead to difficulty in proving program value.
- **Treating Hunting solely as Reactive:** Over-reliance on incident-driven requests will stifle proactive discovery and validation capabilities.
## Resources
- **GitHub Collection:** The author references a personal GitHub compilation of useful resources: `[collection on their GitHub](defanged_link_to_BushidoUK/Open-source-tools-for-CTI/blob/master/ThreatHunting.md)` (Note: Link structure is preserved but deactivated due to platform policy).