Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Structured threat hunting
  • Unstructured threat hunting
  • Situation- or entity-driven threat hunting
  1. Threat hunting methodologies

Introduction

Structured threat hunting

Structured threat hunting is a methodical approach to identifying and mitigating potential security threats in an organization's network, systems and applications

  • It involves a systematic and repeatable process that includes multiple stages, such as planning, data collection, analysis and response

  • In structured threat hunting, the process is based on a set of predefined steps or procedures that guide the threat hunting activities

  • This helps to ensure that the process is consistent, repeatable and effective in identifying and addressing potential security threats

  • Threat hunting is performed based on an Indicator of Attack (IOA), as well as the Tactics, Techniques and Procedures (TTPs) used by attackers

Unstructured threat hunting

Unlike structured threat hunting which is methodical and focuses on IOAs, unstructured threat hunting primarily relies on analyst intuition and IOCs to drive hunts

  • The hunter searches the network for any IOCs received from one of the various sources like threat intelligence, threat reports, etc

  • If there are any matches for IOCs in the environment, the hunter looks for malicious patterns before and after the trigger or IOC

  • Threat hunters can investigate historical data as far as data retention limits permit

  • This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant

  • The other form of unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies

Situation- or entity-driven threat hunting

Situational threat hunting looks at an enterprise's individual vulnerabilities, such as those found in a risk assessment

Entity-driven hunting uses external attack data to identify trending TTPs of the latest cyber threats. With this information, hunters can look for specific behaviors within an organization's own environment

Situational threat hunting focuses on high-risk/high-value entities such as sensitive data or critical computing resources

Its main benefit is that it helps focus and prioritize threat-hunting activity to improve its effectiveness

Attackers commonly target specific high-value/high-risk assets such as domain controllers or privileged users such as IT administrators and DevOps Managers

PreviousGrouping and clustering with AINextStructured hunting (MITRE)

Last updated 9 months ago