Full Report
Originally published at Arachne Digital.Threat hunting has become one of the most important activities in modern security operations. In an age where adversaries innovate constantly, waiting for alerts is not enough. A mature SOC must be proactive, searching for adversaries before they trigger alarms, and validating whether defences truly work against real-world tactics.Threat-informed defence is the philosophy that underpins this approach. Instead of hunting based on hunches or generic indicators, teams use structured frameworks that tie hunts to adversary behaviour. This blog explores why threat hunting matters, the major frameworks you can adopt, what makes a hunt successful, and common pitfalls to avoid.Why Threat Hunting MattersAttackers Move Faster than Defenders: Threat actors exploit gaps in visibility, misconfigurations, and novel tactics, techniques and procedures (TTPs). By the time an alert fires, damage may already be done. Hunting helps you catch these subtle intrusions earlier.Detection Gaps Are Inevitable: No matter how advanced your tools, there will be blind spots. Threat hunting exposes those gaps and feeds improvements back into detection engineering.SOC Maturity and Analyst Skill Growth: Hunting develops analyst expertise, strengthens defensive posture, and transitions the SOC from reactive firefighting to proactive security.The Main Threat Hunting FrameworksDifferent organisations have proposed structured methodologies for threat hunting. Here are the most prominent:MITRE ATT&CK®-Driven HuntingThe MITRE ATT&CK® framework is one of the most widely adopted tools for structuring threat hunts. Rather than starting from scratch, analysts can anchor their hunts in a globally recognised catalogue of adversary tactics and techniques. ATT&CK doesn’t just tell you what attackers do, it provides a roadmap for how to detect them.A typical ATT&CK-driven hunting process follows these steps:Select Relevant Tactics and Techniques: Start by choosing ATT&CK techniques based on your threat model, recent intelligence, or adversary profiles. For example, if your organisation is targeted by ransomware actors, you might focus on techniques in the Execution and Impact tactics.Form a Hypothesis: Translate the chosen technique into a hypothesis. For instance: “An adversary may be using PowerShell (T1059.001) for initial execution in our environment.”Map to Available Data Sources: Use ATT&CK’s guidance on data sources to determine what telemetry you’ll need. For PowerShell execution, this might include process creation logs, PowerShell operational logs, or endpoint telemetry.Hunt in the Environment: Build queries or detections in your SIEM/EDR to test the hypothesis. Look for activity matching the ATT&CK technique, such as unusual PowerShell command lines.Investigate and Enrich: If suspicious activity is found, enrich it with context: when did it occur, which accounts were involved, is it tied to known adversary campaigns?Operationalise Findings: Feed validated findings back into your detection engineering process, for example, creating a new SIEM rule, EDR detection, or SOAR playbook mapped directly to the ATT&CK technique.Measure Coverage: Document which ATT&CK techniques are now covered, identify remaining gaps, and plan the next hunt. Over time, this builds a measurable “ATT&CK coverage map” of your environment.SANS Threat Hunting Process (The Hunting Loop)The SANS Institute’s Threat Hunting Loop provides a structured, repeatable process for hunts. It is an intelligence-driven methodology, but with defined stages that make it more than just using threat intel. The loop consists of:Hypothesis Generation: Starting with a question based on threat intelligence or observed activity.Profiling the Environment: Establishing baselines of normal behaviour to spot anomalies.Hunting: Actively testing the hypothesis by querying available data sources.Discovery and Enrichment: Investigating findings, correlating with other data, and gathering context.Operationalisation: Feeding discoveries back into detections, dashboards, or playbooks to strengthen defences.This cyclical process ensures hunts not only identify potential threats but also continuously improve detection capabilities.Hunter’s Maturity Model (HMM)The Hunter’s Maturity Model (HMM) was developed by Sqrrl, later acquired by Amazon and integrated into AWS’s security services. HMM outlines stages of hunting maturity:Level 0: No hunting, reactive operations only.Level 1: Unstructured, ad hoc hunts.Level 2: Structured, repeatable hunts.Level 3: Proactive, automated, and innovative hunts.This model remains a widely used way for SOCs to benchmark where they are on their hunting journey and chart a path toward maturity.Analytic Frameworks for Guiding Hunts (Diamond Model and Kill Chain)Diamond Model for Intrusion Analysis: Focuses on four nodes, adversary, capability, infrastructure, and victim, and the relationships between them. Analysts can pivot across these nodes to generate hypotheses and better understand adversary behaviour.Cyber Kill Chain® (Lockheed Martin): Breaks down an adversary attack into seven phases: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. It helps hunters frame their work by asking: “At which phase are we most likely to detect this activity in our environment?”While not frameworks for TTPs in the same sense as MITRE ATT&CK, both models give analysts useful structures to guide hunts and anticipate adversary behaviour.TAHITI Methodology (Emerging)Some SOC teams adopt lightweight, iterative hunting methods inspired by frameworks like TAHITI (Threat-Informed Analysis for Tactical Hunts and Investigations). While not as widely formalised or adopted as ATT&CK or the SANS Loop, these approaches emphasise:Short cycles of hypothesis and testingRapid feedback into detectionsFlexibility over rigid processThis style suits agile teams who want fast results without the overhead of a full formal framework.What Makes Threat Hunting SuccessfulClear Hypotheses: Hunts should start with a focused, testable question (e.g., “Are adversaries using living-off-the-land binaries to move laterally in our network?”).Threat Intelligence Integration: Quality cyber threat intelligence provides the seed for relevant hunts and ensures defenders are testing against real-world TTPs.Data Coverage and Visibility: Hunts are only as strong as the telemetry available, endpoint, network, cloud, and identity data must be ingested and searchable.Repeatability and Documentation: Each hunt should produce lessons learned, new detections, and playbooks for future use.Feedback Loop to Detection Engineering: Findings from hunts must feed directly into SIEM/SOAR detections, improving resilience over time.Common Pitfalls to AvoidUnstructured “Fishing Expeditions”: Hunting without hypotheses wastes time and erodes analyst confidence.Over-Reliance on Tools Alone: Technology supports hunting, but analyst curiosity and critical thinking are irreplaceable.Failure to Operationalise Results: If hunts don’t improve detection coverage or incident response, they’re wasted effort.Not Measuring Value: Without metrics, such as detection coverage improvements, dwell time reduction, or successful hypothesis validation, executive buy-in may fade.Burnout and Scope Creep: Analysts tasked with constant ad hoc hunts without a process risk fatigue and inconsistent outcomes.Bringing It All Together: Threat-Informed DefenceThreat-informed defence is the practice of grounding your security operations in a clear understanding of how adversaries actually operate. Instead of building defences around generic risks or vendor-driven priorities, you align security controls, detection engineering, and response playbooks to real-world adversary TTPs.In this model, frameworks like MITRE ATT&CK, the Diamond Model, and the SANS Hunting Loop aren’t academic exercises, they are the scaffolding that keeps your defence program anchored to reality.Where threat hunting fits:Threat hunting becomes the validation engine for threat-informed defence.By testing hypotheses against adversary TTPs, hunts reveal whether your environment can detect and withstand those behaviours.Every hunt produces lessons learned: gaps in telemetry, missing detections, or untested assumptions. Those lessons feed back into detection engineering and defensive controls.Over time, this cycle ensures your defences are not just theoretical but battle-tested against the threats that matter most to you.Put simply: threat-informed defence sets the strategy, and threat hunting executes it in practice. The result is a SOC that no longer waits for attackers to announce themselves but continuously checks whether its defences stand up to the adversaries most likely to come knocking.The Role of Cyber Threat Intelligence in Threat HuntingThreat hunting is only as strong as the intelligence it’s built on. Too often, “threat intelligence” is treated as a feed of indicators of compromise (IOCs), IP addresses, file hashes, or domain names. While IOCs can support detection, they cannot drive threat hunting. By the time an IOC is distributed, it may already be obsolete, burned, or irrelevant to your environment. Hunting based on these alone quickly becomes a game of whack-a-mole.Real threat hunting requires intelligence that answers bigger questions:Which threat actors are likely to target my industry and geography? Understanding the adversaries most relevant to your organisation ensures you’re not chasing ghosts, but focusing on real risks.Which techniques do those adversaries use? Mapping adversary behaviour to frameworks like MITRE ATT&CK highlights where you should focus your hunts and what data you’ll need.When were those techniques and campaigns active? Bounding intelligence in timeframes matters. Techniques used three years ago may not be relevant today, while emerging campaigns might demand immediate hunts.Good intelligence informs what to hunt, when to hunt it, and why it matters. This elevates hunting from ad hoc curiosity to a strategic capability.Arachne Digital provides intelligence that goes beyond static indicators. Our threat intelligence highlights the adversaries most likely to target you, the techniques they employ, and the industries and regions they focus on, all bounded in time. This is the type of intelligence that fuels proactive hunts, closes detection gaps, and enables threat-informed defence.Reach out to us for more details.Final ThoughtsThreat hunting is one of the clearest signs of SOC maturity. It demands curiosity, structure, and a willingness to learn from both successes and failures. Whether you start with ATT&CK, intelligence-driven hunts, or a maturity model, the key is to build a repeatable process that grows with your organisation.These insights are not abstract theory, they’re the foundation of how modern defenders close detection gaps, validate assumptions, and build resilience against today’s adversaries.Threat Hunting: Building Threat-Informed Defence in Your SOC was originally published in MeetCyber on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Best Practices: Building Threat-Informed Defence in the SOC via Threat Hunting
## Overview
These practices focus on transitioning a Security Operations Center (SOC) from a reactive alerting model to a proactive, threat-informed defense posture through structured threat hunting. This approach leverages adversary behavior frameworks (like MITRE ATT&CK) to proactively search for threats that bypass current automated detections, thereby exposing visibility gaps and maturing overall defense capabilities.
## Key Recommendations
### Immediate Actions
1. **Prioritize Threat-Informed Focus:** Immediately shift analysis and investigation workloads to prioritize hunting based on known threat intelligence or high-risk adversary profiles relevant to your organization (e.g., ransomware actors).
2. **Establish Initial Hypothesis Template:** Mandate that every new hunt activity must start with a clear, testable hypothesis that directly maps to a specific adversary Tactic or Technique from the chosen framework (e.g., MITRE ATT&CK).
### Short-term Improvements (1-3 months)
1. **Map Initial ATT&CK Coverage:** Perform an initial assessment to map existing SIEM/EDR detection rules against the MITRE ATT&CK framework to identify immediate, high-priority detection gaps for high-impact TTPs.
2. **Adopt a Standard Hunting Loop:** Implement the SANS Threat Hunting Loop (Hypothesis Generation -> Profiling -> Hunting -> Discovery & Enrichment -> Operationalisation) as the standardized methodology for all threat hunting activities.
3. **Integrate Telemetry Requirements:** For planned hunts, explicitly link the target ATT&CK technique to the required data sources (e.g., process creation logs, EDR telemetry) to ensure necessary logging is active *before* hunting begins.
### Long-term Strategy (3+ months)
1. **Develop Comprehensive ATT&CK Coverage Map:** Continuously track and document findings to build a quantitative measure of security coverage against the ATT&CK matrix, actively scheduling hunts to close identified gaps.
2. **Foster Analyst Skill Growth:** Structure the SOC training program around threat hunting methodologies (SANS Loop, ATT&CK structure) to transition analysts from alert investigation to proactive discovery.
3. **Operationalize Findings Systematically:** Enforce a mandatory cycle where every successful or validated hunt finding results in the creation or refinement of a formal detection artifact (SIEM rule, SOAR playbook, EDR signature) mapped back to the relevant TTP.
## Implementation Guidance
### For Small Organizations
- **Focus on Visibility Baselines:** Begin the SANS loop by heavily prioritizing the "Profiling the Environment" stage. Since resources are limited, focus initial hunts on establishing clear baselines of *normal* behavior for core systems before hunting for complex anomalies.
- **Framework Selection:** Adopt the MITRE ATT&CK framework immediately due to its widespread documentation and community support, focusing initially only on Tactics relevant to *Execution* and *Persistence*.
### For Medium Organizations
- **Structured ATT&CK Hunting:** Fully implement the 7-step MITRE ATT&CK-Driven Hunting process. Dedicate specific time blocks (e.g., 20% of analyst time) solely to structured hunting activities.
- **Data Source Correlation:** Begin cross-validating findings from initial hunts across different log sources (e.g., correlating process execution logs with network flow data) to enrich context during the "Discovery and Enrichment" phase.
### For Large Enterprises
- **Automated Coverage Measurement:** Implement mechanisms (tools or scripts) to automatically generate and visualize the organization's ATT&CK coverage map based on existing detections.
- **Adversary Emulation Integration:** Use threat intelligence regarding targeted ransomware groups or APTs in your sector to drive hypothesis generation, focusing hunts on the TTPs detailed in recent high-fidelity cyber campaigns.
- **Maturity Modeling:** Use the Hunter’s Maturity Model (HMM) to formally benchmark and drive investment decisions for scaling the threat hunting program.
## Configuration Examples
*(Note: The context provided focuses heavily on methodology rather than specific configuration syntax. The primary configuration guidance centers on data source requirements for specific techniques.)*
| ATT&CK Technique Example | Required Data Source (Telemetry) | Hunting Focus |
| :--- | :--- | :--- |
| T1059.001 (PowerShell) | Process Creation Logs, PowerShell Operational Logs | Query for encoded commands, suspicious parameters, or execution chains not signed by trusted processes. |
| (Implied: Defense Evasion) | Endpoint Telemetry Alerts | Hunt for anomalies in execution timing or process parent/child relationships indicative of obfuscation or injection. |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Threat hunting directly supports the **Detect** function by strengthening continuous monitoring and anomaly detection capabilities, and informing the **Respond** function by validating detection efficacy.
- **ISO/IEC 27001:** The structured, documented nature of the hunting loops (SANS/ATT&CK) helps fulfill the requirement for documented operational procedures and continuous improvement associated with monitoring and incident response controls.
- **CIS Critical Security Controls:** Hunting is essential for verifying that controls related to logging (Control 16) and detection mechanisms (related to Control 17: Detection) are functioning effectively against real-world TTPs.
## Common Pitfalls to Avoid
- **Hunting without a Hypothesis:** Avoid unstructured "fishing expeditions." Every hunt must be guided by a specific question tied to a known threat model or framework element.
- **Ignoring Operationalization:** Failing to feed validated findings back into detection engineering means hunts are treating symptoms without curing the detection gap. This leads to wasted effort and repeated hunts for the same baseline issue.
- **Analysis Paralysis:** Do not get indefinitely stuck in the "Investigate and Enrich" phase. Successful hunting requires pragmatic decision-making to move findings to the "Operationalise" stage within a reasonable timeframe.
## Resources
- **MITRE ATT&CK Framework:** The essential resource for mapping adversary behavior and structuring initial hunts.
- **SANS Institute Threat Hunting Documentation:** Provides detailed guidance on the repeatable "Hunting Loop" methodology.
- **Hunter's Maturity Model (HMM):** Useful for benchmarking the maturity level of the hunting program over time.