The Basics of Threat Hunting

Basics of Threat Hunting

Components of a Successful Threat Hunt

The truth is that threat hunt end goal plays an important role in the whole classification of the type of the hunt. Hunt events start with a concrete goal to discover specific actors—which classifies this type of hunt as a threat focused. Likewise, an environmental hunt engagement focused on learning a particular subset of the overall environment from a technical angle. Classifying the type of a threat hunt is as essential as the type of threat hunt changes the TTP and data sources required to conduct the hunt. A hunt might also start as an environmental hunt and might change into a threat-focused hunt as any malicious activity be discovered.

Both types of hunts are essential to an organization to keep a complete threat hunting program ecosystem. Threat focused hunts focus on known adversary behavior and can verify the presence of known actor TTP in the landscape. Environmental focused threat hunts may pick a specific protocol or known source and look for malicious behaviors not yet associated with an actor TTP.

Whilst the hunt search at data related to a specific attack TTP, no setting exists surrounding a known malicious actor. When hunting for complex attackers, a threat- focused hunt that contains known intelligence about a particular attacker might be tailed by an environmental hunt to look for possible development in the attacker TTP or unknown attacker TTP.

To read more about different components of a successful threat hunt, please click here.

Hunt Cycle Model