Threat Intelligence & Threat Hunting
Translate raw data into detection engineering insights and measurable reductions in adversary dwell time.
Build an intelligence-led hunting programme that fuses telemetry, adversary tradecraft, and repeatable analytics.
Intelligence-Led Security Operations
Threat intelligence converts raw observations into contextual knowledge about adversaries, infrastructure, and intent. Threat hunting applies that knowledge to proactively search for undetected attacker activity. Together they close detection gaps, inform investment decisions, and strengthen incident response plans.
- Align hunts with Priority Intelligence Requirements (PIRs) tied to critical assets and business processes.
- Blend internal telemetry with external sources (ISAC feeds, vendor CTI, dark web monitoring) to improve detection coverage.
- Feed validated hunt findings into detection engineering backlogs and purple-team exercises.
Intelligence Maturity Snapshot
Reactive
Consume finished intelligence, validate IOCs manually, and respond to incidents with limited contextual awareness.
Next Focus: Improve data coverage and tooling visibility first.
Proactive
Blend internal telemetry with curated CTI, prioritise hunts against strategic adversaries, and automate enrichment.
Next Focus: Introduce hypothesis frameworks and ATT&CK mapping.
Predictive
Fuse strategic, operational, and tactical intel to anticipate attacker movement and pre-position controls.
Next Focus: Invest in dedicated intel analysts and cross-team sharing cadences.
Threat Intelligence Lifecycle
| Phase | Objective | Key Outputs |
|---|---|---|
| Direction | Define Priority Intelligence Requirements (PIRs) and hunt hypotheses rooted in business risk. | Threat focus areas, required data sources, success criteria. |
| Collection | Acquire raw telemetry from internal and external sources (logs, CTI feeds, sensor data). | Normalised events, enrichment context, raw artifacts. |
| Processing | Clean, parse, and enhance data with tagging, correlation, and deduplication. | Searchable datasets, CTI observables, hunt-ready pivots. |
| Analysis | Transform observations into actionable intelligence and validated hunt findings. | Threat reports, detection rules, priority incidents. |
| Dissemination | Deliver intelligence to stakeholders, SOC workflows, and leadership. | Dashboards, hunt briefs, executive summaries. |
| Feedback / Lessons Learned | Capture metrics, update requirements, and refine tooling based on outcomes. | Improved hypotheses, roadmap updates, automation opportunities. |
Review the cycle quarterly and after major incidents to ensure PIRs, hunts, and tooling remain aligned with evolving risk.
Threat Hunting Approaches
Hypothesis-Driven Hunt
Start with a plausible adversary behaviour statement (e.g., "APT29 may abuse OAuth tokens") and test against telemetry using MITRE ATT&CK mapping.
Intel-Led Hunt
Pivot from finished intelligence (campaign reports, ISAC alerts) to validate whether indicators or TTPs exist internally.
Analytics-Driven Hunt
Apply statistical baselining, ML models, or outlier detection to highlight anomalies for human review.
Adversary Emulation
Leverage purple teaming and atomic tests to ensure detections fire before a threat actor reaches objectives.
Mapping Hunts to MITRE ATT&CK
| ATT&CK Tactic | Representative Technique | Intelligence/Hunt Application |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | Watch vendor advisories and proof-of-concept releases to prioritise patching and hunts. |
| Execution | T1059 Command Shell | Hunt for LOLBIN abuse (e.g., certutil, mshta) following red-team or intel alerts. |
| Persistence | T1546 Event Triggered Execution | Monitor WMI Event Consumers tied to recent adversary playbooks. |
| Credential Access | T1556 Modify Authentication Process | Use hunting queries for modified SSP DLLs when reports flag LSASS credential theft. |
| Exfiltration | T1041 Exfiltration Over C2 Channel | Correlate beaconing patterns from CTI with outbound data volume anomalies. |
Track hunt coverage against ATT&CK to identify blind spots and justify engineering backlog items.
Prioritised Data Sources
Endpoint & EDR
- Process creation telemetry
- Module loads / DLL injections
- Registry modifications
- Driver loads
Network
- NetFlow / PCAP summaries
- DNS query logs
- Proxy and web gateway logs
- TLS fingerprinting (JA3/JA4)
Identity & Cloud
- Azure AD sign-in logs
- OAuth app consent events
- AWS CloudTrail / GuardDuty
- SaaS audit trails
Threat Intelligence Feeds
- ISAC/ISAO advisories
- MISP / OpenCTI indicators
- Dark web monitoring
- Vendor finished intelligence
Automation & Measurement
Detection Engineering Feedback Loop
Promote successful hunts to detections with unit tests in CI/CD pipelines; track coverage across ATT&CK tactics.
Repeatable Hunt Playbooks
Codify hunts in notebooks or SOAR runbooks (e.g., Jupyter, Chronicle, Sentinel notebooks) for re-use and rotation.
Metrics & KPIs
Measure dwell-time reduction, hunts executed per quarter, detection yield, and percent of hunts leading to engineering items.
Quick Start Checklist
- Define a quarterly hunt calendar aligned to the business threat model.
- Instrument data quality checks for each telemetry source before hunts begin.
- Document hypotheses, queries, findings, and follow-up actions in a searchable knowledge base.
- Automate enrichment (WHOIS, sandboxing, geolocation) to speed analyst pivots.
- Loop in detection engineers, IR, and red team members for collaborative validation.