> For the complete documentation index, see [llms.txt](https://davidjosearaujo.gitbook.io/online-courses/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidjosearaujo.gitbook.io/online-courses/cyber-threat-hunting/threat-hunting-methodologies/unstructured-hunting.md).

# Unstructured hunting

This is the **most common** form of threat hunting that is observed in many organizations that have some form of threat hunting capabilities

* There is no specific methodology defined to conduct hunts and this doesn't rely on TTPs for hunts
* Instead, this type of threat hunting primarily relies on analyst intuition and IOCs to drive hunts
* There are many sites that share threat reports and IOCs associated with a specific threat for free
* Organizations may have paid sources that provide threat intelligence to obtain the latest threat reports/IOCs when they have them

There are multiple schools of thought for **unstructured hunting**

* The first one is that unstructured threat hunting starts from a trigger or an indicator of compromise (IOC)
* The hunter **searches the network for malicious patterns** before and after the trigger or IOC
* Threat hunters can **investigate historical data** as far as data retention limits permit
* This type of threat hunting can discover new types of threats or threats that penetrated the environment in the past and are now dormant
* In the next section, we will talk about cyber-threat intelligence as it is primary source for threat hunting

## Cyber-threat intelligence

#### What is cyber-threat intelligence (CTI)?

A collection of data regarding threats:

* Organizations may collect intelligence for internal use
* Some companies collect and sell threat intelligence, both directly and through the purchase of security platforms
* There are commercial and open-source threat intelligence source available
* There are also Information Sharing and Analysis Centers (ISAC) that collect, analyze and disseminate actionable threat information to its members
* There are ISACs for various industries like financial, industrial, etc, that organizations can be part and obtain valuable intel. Sometimes they acquire real-time intel that can be used to mitigate risks

## Open-Source Intelligence (OSINT)

#### Cyber threat information which is collected/shared publicly

* Open-source intelligence can be used on its own
* OSINT can be combined with threat data collected by an organization

## Commercial threat intelligence

Cyber-threat information is provided by many security vendors for a fee and provides the following advantages over OSINT

* **Visibility** - The level of coverage is broader and more expansive than what a select open-source community can focus on, providing you with more holistic threat intelligence and enabling you to be more proactive, rather than reactive, with your security actions
* **Triage** - It can provide severity levels for IOCs and related alerts, which can help you triage and focus on what's most important for your team to address
* **Context** - This provides more intelligence context to know what action you need to take next when you see an alert within your dev environment or identify a specific vulnerability

Another school of thought is **analyst intuition**

* It is defined as a method of finding malicious activity without knowing exactly what type of threat you are looking for
* Instead, the hunter relies on behavioral analysis to find these threats
* In short, unstructured hunting is investigative work where a cyber-threat hunter observes behavior and looks for anomalies
* For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further
* If he finds something suspicious, he could act immediately or wait a few days to see if the same email addresses start sending again
