Show Menu

Threat Hunting Cheat Sheet by

Summary for threat Hunting


The ability to block sophis­ticated threats improves each year, but we face determined and creative advers­aries whose techniques evolve just as quickly . therefore organi­zations need to deploy another layer of defense to proact­ively detect threat actors before they can actually do any damage to their enviro­nment .

What is threat hunting ?

Threat hunting is the practice of proact­ively searching for cyber threats that are lurking undetected in a network unknown threat that aren’t detected by current automated methods of prevention and detection .
we assume that an adversary is already present in the network

Why threat hunting ?

- Threat hunting help organi­zation reduce the dwell time
- Threat hunting help in identi­fying the threat within the organi­zat­ion’s asset before any damage can be done

Threat Hunting Maturity Model-1

Threat Hunting Maturity Model can help organi­zations measure their current maturity and provide a roadmap for improv­ement. The maturity levels start from a non-ex­isting (initial) stage to a fully matured level (leading).

Threat Hunting Maturity Model-2

Initial (Level 0)
At this level the organi­zation cover only the basics , they rely on detection (example : SIEM ). They are not considered hunting because they don’t collect much data from their enviro­nment.
Minimal (Level 1)
They still rely on detection and they track the latest threat report and collect the data from their enviro­nment into central location , so one there is new threat report they can extract key indicator and search if they have been seen before in the recent past in their enviro­nment (they don’t have regular threat hunting routine)
Procedural (Level 2)
They usually collect large amount of data , the organi­zation at this level uses procedures available on the internet created by others (they have regular threat hunting routine )
Innovative (Level 3)
The organi­zation instead of relying on available procedures , they are the ones who creates the procedures (it’s aided by data visual­ization and machine learning )
Leading (Level 4)
They automate the majority of procedures ( instead of repeating the same process over and over again they can focus on creating new ones )
NOTE : The Hunting Maturity Model is just a prescr­iptive model, the organi­zations does not have to fit into one level , sometimes they are at varying levels of capabi­lities

Threat Hunting Frameworks

Frameworks can be a foundation for the threat hunters when starting their hunting process.

Cyber Attack Life Cycle

The process by which sophis­ticated cyber attacks are conducted (help in understand how a cyber attack happens from the perspe­ctive of an adversary)

Pyramid Of Pain

The relati­onship between the types of indicators you might use to detect an advers­ary's activities and how much pain it will cause them when you are able to deny those indicators to them (help in Measuring the effect­iveness of indicators we use in threat hunting )

Cyber kill Chain

The steps that an attacker needs to take in order achieve their objective

Mitre Attack

Knowledge base for attackers tactics technique and procedures (It is altern­ative for cyber kill chain with more details)

Threat Hunting Method­ologies

IOCS based threat hunting
The threat hunter use IOCs from threat intel feeds ,It is performed once the SIEM has an alert based on IOCs in the system , they invest­igate the activity before and after the alert to identify any compromise in the enviro­nment ( This hunting requires someone in the community to identify the IOC and share it )
Hypothesis based threat hunting
Threat hunters Create hypotheses , they monitor activities for any patterns in order to detect the threat . In this way, the hunter is able to proact­ively detect threat actors before they can actually do any damage to the enviro­nment . To create the hypothesis , the hunter can base on : 1- Create hypothesis base on new shared threat report of new inform­ation about a new threat , so they create a hypothesis and hunt based on it to make sure that the new threat is not infected their organi­zation in partic­ular. 2- Threat hunter learn about an attack and try to hunt for any indicator of the attack in their enviro­nment. 3 - Threat hunter start directly from the data and try to find anything malicious.
Anomaly based threat hunting
Leveraging machine learning to detect abnormal behavior and uncover new threat patterns
Situat­ional based threat hunting
Start the hunt based on enterp­rise's internal risk assessment and vulner­abi­lities analysis of the enviro­nment (this method­ology is impacted by situat­ional awareness)

What Threat Hunter Needs

Every single spot on the organi­zation need to be monitored because the hunt effect­iveness depend on how imporatnt the data is.
Threat Intel
Threat hunters base their hunt on IOAs and IOCs
in order to detect abnorm­alities threat hunter needs to understand the normal­ities ,so baseline will define the events that are authorized and expected making it easier to spot anomalies
The more you know about your own network, the more effect­ively you can protect it.

Threat Hunting Process-1

Threat Hunting Process-2

Create hypothesis
The key to get started in threat hunting is knowing what to ask Example : Who are threat actor that likely to target my organi­zation? what they are targeting ? what is there motives ?
Invest­igate via tools and techniques
After generating the hypothesis , this hypothesis need to be tested by using relevant tools and techniques
Uncover new patterns and TTPs
This step is aims to uncover new patterns and TTPs found on invest­igation ,in this step the hypothesis can be proved or disproved (The disproved hypothesis can be refined and retested)
Inform and enrich Analytics
Successful hunts form the basis for informing and enriching automated analytics (infor­mation from hunts can be used to improve existing detection mechan­isms, which might include updating SIEM rules or detection signat­ures)

Threat Hunting Metrics

Number of incidents that are detected by severity
Number of compro­mised hosts
Dwell Time of any incidents discovered
Number of detection gaps filled
Any new visibility gained during the exercise.
False positive rate
Vulner­abi­lities identified
Number of hunts transi­tioned to new analytics
These metrics can be used to measure the hunt success




No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets