Types of threat hunting

Structured

• based on IOA and TTP of the attacker

• the hunter can usually identify a threat actor even before the attacker can cause damage to the environment

• use MITRE ATT&CK Frameworks (PRE-ATT&CK and enterprise frameworks)

Unstructured

• based on a trigger (IOC)

• often cues a hunter to look for pre- and post-detection patterns

• the hunter can research as far back as the data retention, and previously associated offenses allow

Situational or entity driven

• comes from an enterprise's internal risk assessment or a trends and vulnerabilities analysis unique to its IT environment