Github

Types of threat hunting

Structured

  • based on IOA and TTP of the attacker

  • the hunter can usually identify a threat actor even before the attacker can cause damage to the environment

  • use MITRE ATT&CK Frameworks (PRE-ATT&CK and enterprise frameworks)

Unstructured

  • based on a trigger (IOC)

  • often cues a hunter to look for pre- and post-detection patterns

  • the hunter can research as far back as the data retention, and previously associated offenses allow

Situational or entity driven

  • comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment

Last updated