Introduction

Structured threat hunting

Structured threat hunting is a methodical approach to identifying and mitigating potential security threats in an organization's network, systems and applications

  • It involves a systematic and repeatable process that includes multiple stages, such as planning, data collection, analysis and response

  • In structured threat hunting, the process is based on a set of predefined steps or procedures that guide the threat hunting activities

  • This helps to ensure that the process is consistent, repeatable and effective in identifying and addressing potential security threats

  • Threat hunting is performed based on an Indicator of Attack (IOA), as well as the Tactics, Techniques and Procedures (TTPs) used by attackers

Unstructured threat hunting

Unlike structured threat hunting which is methodical and focuses on IOAs, unstructured threat hunting primarily relies on analyst intuition and IOCs to drive hunts

  • The hunter searches the network for any IOCs received from one of the various sources like threat intelligence, threat reports, etc

  • If there are any matches for IOCs in the environment, the hunter looks for malicious patterns before and after the trigger or IOC

  • Threat hunters can investigate historical data as far as data retention limits permit

  • This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant

  • The other form of unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies

Situation- or entity-driven threat hunting

Situational threat hunting looks at an enterprise's individual vulnerabilities, such as those found in a risk assessment

Entity-driven hunting uses external attack data to identify trending TTPs of the latest cyber threats. With this information, hunters can look for specific behaviors within an organization's own environment

Situational threat hunting focuses on high-risk/high-value entities such as sensitive data or critical computing resources

Its main benefit is that it helps focus and prioritize threat-hunting activity to improve its effectiveness

Attackers commonly target specific high-value/high-risk assets such as domain controllers or privileged users such as IT administrators and DevOps Managers

PreviousGrouping and clustering with AINextStructured hunting (MITRE)

Last updated