Threat Hunt (TH) Program Part 9 - Threat Hunt Program Training

Threat Hunt Program Training - Standard Operating Procedure (SOP)

1. Purpose

This Standard Operating Procedure (SOP) establishes the training framework for personnel assigned to the Threat Hunting program. The objective is to ensure that threat hunters develop the technical, analytical, and operational competencies required to proactively identify adversary activity within the organization’s environment.

This SOP defines:

• Required threat hunting skill domains

• Training phases from foundational to advanced levels

• Competency validation methods

• Ongoing skill maintenance requirements

2. Training Objectives

The Threat Hunting training program aims to ensure personnel can:

• Understand and leverage organizational telemetry and data sources

• Analyze attacker behaviors and intrusion patterns

• Conduct intelligence-driven threat hunts

• Perform advanced data analysis across large datasets

• Develop hypotheses and test them analytically

• Document investigations and communicate findings

• Convert hunt findings into operational detections

3. Core Threat Hunting Skill Domains

All threat hunters must develop proficiency across the following skill domains.

3.1 Understanding Available Data Sources

Effective threat hunting begins with understanding what telemetry exists and where it resides within the organization.

Threat hunters must understand the structure, accessibility, and limitations of available data sources.

Core Data Sources

Training must begin with the SOC Triad:

• Network telemetry

• Endpoint telemetry

• Log data

Threat hunters should then expand to include:

• Cloud telemetry

• Application logs

• Identity and authentication data

• Email security telemetry

• Identity Threat Detection & Response (ITDR)

• Application Detection & Response (ADR)

• Threat Intelligence Platforms (TIP)

Data Source Evaluation Skills

Threat hunters must be trained to evaluate:

• Whether telemetry is centralized in the SIEM or distributed across tools

• Visibility gaps in telemetry coverage

• Cost vs. value of ingesting additional data sources

• Retention limitations that affect historical hunting

3.2 Understanding How Attacks Manifest

Threat hunters must understand how real-world attacks unfold across systems and telemetry sources.

Training must include instruction in:

• Attack lifecycle analysis

• Adversary tactics and techniques

• Observable artifacts generated during attacks

Threat hunters should be able to answer:

• What is the attacker attempting to accomplish?

• What artifacts would this attack generate?

• What telemetry sources should contain evidence?

Analytical Frameworks

Training should include the Diamond Model of Intrusion Analysis, which evaluates:

• Adversary

• Infrastructure

• Victim

• Capability

This model supports:

• Threat actor attribution

• Anticipation of attacker behavior

• Identification of follow-on attack activity

3.3 OSINT Research and Threat Actor Analysis

Threat hunters must understand how to conduct open-source intelligence (OSINT) research and interpret cyber threat intelligence.

Training must clarify the distinction between:

Threat hunters should understand:

• Malware families

• Threat actor infrastructure

• Initial access techniques

• Indicators of behavior (IOBs)

• Campaign patterns

This knowledge allows hunters to translate external intelligence into internal investigative hypotheses.

3.4 Data Analysis and Query Development

Threat hunting relies heavily on the ability to analyze large datasets.

Threat hunters must demonstrate proficiency with security analytics query languages such as:

• KQL (Microsoft environments)

• SPL (Splunk)

• Elastic query languages (KQL, EQL, DSL)

Training must include instruction on:

• Query logic construction

• Data filtering

• Aggregations

• Dataset pivots

• Data visualization

• Statistical analysis

Analytical Techniques

Threat hunters must understand the GAPSS analytical model:

• Graphs

• Aggregations

• Pivots

• Statistical summaries

• Search logic

Additional training must include anomaly detection techniques:

• Mean and median analysis

• Field cardinality evaluation

• Frequency distribution analysis

• Stack counting

• Z-score anomaly identification

3.5 Threat Hunt Documentation

Threat hunters must document investigations continuously throughout the hunt lifecycle.

Documentation must include:

• Hunt hypothesis

• Data sources analyzed

• Query logic used

• Assumptions and analytical reasoning

• Results and findings

Well-documented hunts enable:

• Repeatable investigations

• Knowledge transfer

• Detection engineering

• Executive reporting

• CTI integration

3.6 Simulation and Hypothesis Testing

Threat hunters must validate hypotheses through testing and simulation.

Training must include:

Query Validation

Hunters must learn to:

• Validate queries against known benign datasets

• Expand queries from broad to narrow scopes

• Confirm data field behavior before drawing conclusions

Simulated Attack Scenarios

Threat hunters should conduct controlled simulations using:

• Lab environments

• Attack simulation tools

• Custom scripts (e.g., PowerShell)

Simulations allow hunters to:

• Validate telemetry visibility

• Confirm detection coverage

• Improve analytical accuracy

4. Threat Hunter Training Phases

Threat hunter training should progress through structured phases from foundational knowledge to advanced analytical expertise.

Phase 1 – Foundational Training

Focus: Security Operations and telemetry fundamentals.

Training topics include:

• SOC operations

• Security logging fundamentals

• SIEM navigation

• Endpoint and network telemetry basics

• Introduction to cyber attacks

• Query language fundamentals

Competency Validation

Candidates must complete:

• Query language proficiency tests

• Data source identification exercises

• Basic hunt scenario analysis

Phase 2 – Intermediate Threat Hunting

Focus: Structured hunting and attacker analysis.

Training topics include:

• Threat hunting methodologies

• Threat actor behavior analysis

• Hypothesis-driven hunting

• CTI integration into hunts

• Data analytics techniques

Competency Validation

Personnel must complete:

• Structured threat hunt exercises

• Written hunt reports

• CTI-to-hunt hypothesis translation exercises

• Scenario-based threat analysis tests

Phase 3 – Advanced Threat Hunting

Focus: Complex investigations and strategic analysis.

Training topics include:

• Advanced statistical analysis

• Large dataset investigations

• Multi-source correlation

• Threat actor campaign analysis

• Detection development from hunt findings

Competency Validation

Personnel must demonstrate proficiency through:

• Full threat hunt mission execution

• Analytical briefings to leadership

• Detection engineering deliverables

• Peer review validation of hunt findings

Phase 4 – Expert / Lead Threat Hunter

Focus: Threat hunting program leadership and methodology development.

Responsibilities include:

• Designing threat hunt missions

• Developing hunting frameworks

• Leading complex investigations

• Mentoring junior hunters

• Converting hunts into detection programs

Competency Validation

Expert hunters must demonstrate:

• Successful leadership of multiple hunt missions

• Development of reusable hunt modules

• Creation of new detection logic

• Training and mentorship of junior staff

5. Competency Verification Methods

Threat hunter competency should be evaluated using multiple validation mechanisms.

Knowledge Assessments

• Written exams

• Scenario-based questions

• Threat actor analysis exercises

Practical Assessments

• Hands-on hunt exercises

• Query development testing

• Dataset analysis challenges

Operational Deliverables

Personnel must demonstrate capability through:

• Completed hunt reports

• Developed detection queries

• Simulation results

• Executive briefings

Peer Review

Senior threat hunters should review:

• Analytical methodology

• Query logic

• Documentation completeness

• Accuracy of conclusions

6. Continuous Training Requirements

Threat hunters must maintain proficiency through ongoing training activities including:

• Participation in new hunt missions

• CTI briefings

• Detection engineering collaboration

• Technical research and tool development

• Industry conference participation

• Simulation exercises

Threat hunting skill development should be treated as a continuous professional discipline, as attacker techniques evolve rapidly.

7. Training Records and Documentation

Training completion and competency evaluations must be recorded in the organization’s training tracking system.

Records should include:

• Training completed

• Assessment results

• Certifications obtained

• Threat hunt missions completed

• Skills progression level

These records ensure the organization maintains a measurable and continuously improving threat hunting capability.

References

𝗔𝗧𝗧&𝗖𝗞 - Adversary TTPs - attack.mitre.org

𝗗𝟯𝗙𝗘𝗡𝗗 - Defensive Countermeasures - d3fend.mitre.org

𝗥𝗘&𝗖𝗧 - Incident Response - https://atc-project.github.io/react-navigator/

𝗘𝗡𝗚𝗔𝗚𝗘 - Deception & Engagement - https://engage.mitre.org/matrix/

𝗔𝗧𝗟𝗔𝗦 - AI/ML Security - https://atlas.mitre.org/matrices/ATLAS

𝗘𝗠𝗕𝟯𝗗 - Embedded Device Security - emb3d.mitre.org

𝗙𝗶𝗚𝗛𝗧 - 5G Infrastructure - fight.mitre.org

𝗖𝗥𝗘𝗙 - Cyber Resiliency - https://crefnavigator.mitre.org/navigator

ATT&CK Navigator - https://mitre-attack.github.io/attack-navigator/