Data and technologies

Threat hunting sources

Threat hunters rely on different sources of information, such as the following to create hunts:

Threat intelligence

Collection of data related to known threats and threat actors

• Threat actors targeting your organization

• Information sharing between organizations within the same sector

• Zero-day exploits against similar organizations

• New vulnerabilities being leveraged by attackers

Internal findings

The findings identified by various teams conducting assessments

• Internal audit

• Enterprise risk teams

• Red Team

Security incidents

Lessons learned phase of incident response captures valuable information that could be leveraged by threat hunting. These could be tactics/techniques identified during incident response, gaps in coverage, vulnerabilities, etc

MITRE ATT&CK framework

Tactics and techniques outlined in the framework are great resources to identify and prioritize hunts to be conducted within your organization

Organizational knowledge

Knowledge of know gaps, broken processes, etc, derived from time spent with an organization is another great source for threat hunting

Anomalous activity

Activity that deviates from established security configurations or behaviors is another input for threat hunting