A Practical Model for Conducting Cyber Threat Hunting
There are many different approaches to increasing an organization’s cybersecurity defenses against adversaries. One fundamental solution is known as a threat hunt. Threat hunts provide a proactive opportunity for an organization to uncover attacker presence in an environment. While no formal academic definition exists for threat hunting, this paper defines threat hunting as the proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within an environment.
Attacker TTP must be researched and understood to know what to search for in collected data. Information about attacker TTP most often derives from signatures, indicators, and behaviors observed from threat intelligence sources [15]. This added context should include targeted facilities, what systems were affected, protocols manipulated, and any other information pertinent to better understanding an attacker’s TTP.