Threat Hunt (TH) Programs Part 2 - Threat Hunt Mission In-Take, Prioritization, design/Scoping/Targeting
- brencronin
- 12 hours ago
- 5 min read
Threat Hunt Mission Intake, Prioritization, Design, Scoping, and Targeting - Standard Operating Procedure (SOP)
1. Purpose
This SOP establishes the standardized process for intaking, prioritizing, designing, scoping, and targeting Threat Hunt missions within the organization. The goal is to ensure threat hunting activities are centrally coordinated, strategically prioritized, and executed in a structured and repeatable manner that maximizes operational effectiveness and visibility to leadership.
2. Scope
This procedure applies to all Threat Hunt missions conducted by the Threat Hunting team and includes coordination with Cyber Threat Intelligence (CTI), Security Operations Center (SOC), Detection Engineering, and Incident Response teams.
3. Threat Hunt Mission Intake
All Threat Hunt missions must be formally recorded and tracked within a centralized Threat Hunt Mission Tracker or Register. This centralized system enables effective mission planning, coordination among team members, and visibility into mission progress and outcomes.
Each new mission must be logged during the mission intake process, which documents the origin, objective, and initial scope of the proposed threat hunt.
3.1 Primary Sources of Threat Hunt Missions
Threat Hunt missions may originate from several sources, including:
1. Organizational Security Incidents
Threat hunts initiated following a cybersecurity incident to determine whether related activity occurred elsewhere in the environment.
2. Leadership Directives
Threat hunts directed by organizational leadership based on perceived risk, emerging threats, or operational priorities.
3. Cyber Threat Intelligence (CTI) – Organization-Specific Threats
Threat intelligence indicating that specific threat actors, campaigns, or techniques may target the organization.
4. Cyber Threat Intelligence – Industry Trends
Threat intelligence identifying emerging threats, tactics, or attack campaigns affecting the organization's industry sector.
Each intake record must document:
Mission origin
Threat actor or threat activity
Relevant intelligence sources
Initial mission objective
Intake date
4. Threat Hunt Mission Prioritization
Because threat hunting missions may originate from multiple sources and cybersecurity threats evolve rapidly, all missions must be prioritized within the Threat Hunt mission tracker.
A priority field must be included within the mission tracking register.
4.1 Priority Determination Factors
Mission priority should be determined based on:
Threat severity
Organizational risk
Known active exploitation
Leadership directives
Impact to critical systems
CTI confidence and relevance
Current operational workload
Leadership frequently receives intelligence and threat reporting that may generate multiple hunting requests in a short period of time. While these requests may all represent valid concerns, threat hunts require sufficient time to conduct proper analysis.
The prioritization process ensures the team can answer operational questions such as:
Should the current mission be paused to start a higher-priority hunt?
Should the current mission be completed before starting the next one?
Proper prioritization ensures efficient use of analyst time while aligning threat hunting efforts with organizational risk priorities.
5. Threat Hunt Mission Design
Threat Hunt mission design defines the analytical structure of the hunt, including investigative methods and required tasks.
Threat hunt activities typically fall into several analytical categories.
5.1 Common Threat Hunt Task Categories
Threat Hunt tasks typically include:
1. Simple IOC-Based Hunts
Searching for indicators such as:
IP addresses
URLs/domains
File hashes
2. Binary Abuse Hunts
Analysis of binaries commonly abused by attackers (e.g., administrative utilities, scripting engines).
3. APT Tactics, Techniques, and Procedures (TTP) Hunts
Hunts focused on behavioral patterns associated with known threat actors.
4. Hypothesis-Based Threat Hunting
Structured hunts based on a formal hypothesis regarding attacker behavior within the environment.
5.2 Threat Hunt Methodology Considerations
Some practitioners consider hypothesis-based hunting to represent the highest maturity level of threat hunting. However, effective threat hunting programs often combine multiple methods.
For example, a single threat hunt mission targeting a specific threat actor may include:
IOC searches
Binary abuse analysis
TTP behavioral analysis
Hypothesis testing
Breaking a threat hunt mission into these analytical categories allows the mission to be conducted systematically and comprehensively.
6. Threat Hunt Modular Design
Threat Hunt missions should be broken into individual analytical modules. Modular design improves mission planning, execution, and reporting.
6.1 Benefits of Modular Threat Hunting
Modular design enables:
More accurate time estimation
Task effective delegation across team members
Workload balancing between junior and senior analysts
Performance tracking and trending
Structured mission progress reporting
6.2 Example Difficulty Classification
Threat Hunt modules may be categorized by difficulty level:
Difficulty Level | Example Task Type |
Light | Simple IOC searches |
Medium | Binary usage analysis |
Moderately Difficult | APT TTP analysis |
Difficult | Hypothesis-based hunts |
Very Difficult | Hunts requiring custom data parsing or advanced telemetry analysis |
6.3 Example Threat Hunt Mission Plan
A threat hunt mission targeting a specific threat actor may be structured as follows:
Module | Task | Estimated Time |
Module 1 | IP IOC sweeps | 4 hours |
Module 2 | URL IOC sweeps | 4 hours |
Module 3 | File hash IOC sweeps | 4 hours |
Module 4 | Binary abuse analysis (certutil) | 8 hours |
Module 5 | Binary abuse analysis (curl) | 8 hours |
Module 6 | Additional binary abuse analysis | 8 hours |
Module 7 | Initial access TTP analysis | 12 hours |
Module 8 | Persistence TTP analysis | 12 hours |
Module 9 | Command-and-control (C2) analysis | 12 hours |
7. Threat Hunt Module Reuse and Intelligence Integration
Threat Hunt modules should contribute to long-term security improvements.
7.1 IOC Integration
All collected indicators should be integrated into the organization's Threat Intelligence Platform (TIP) and security tools.
IOC hunting evaluates historical activity. Even if no malicious activity is identified during the hunt, those indicators may be used by adversaries in the future.
Integrating indicators into detection systems ensures future visibility if the threat actor reuses infrastructure.
7.2 Binary and TTP Baselines
Over time, threat hunts will produce baseline understanding of normal behavior across the organization.
Examples include:
Baseline usage patterns for binaries such as certutil or curl
Common administrative behaviors
Expected network communication patterns
These baselines allow:
Reuse of previously developed hunt queries
Conversion of hunt queries into detection rules
Improved detection engineering coverage
8. Threat Hunt Mission Targeting
Threat Hunt targeting defines:
Data sources to analyze
Detection methods
Analytical techniques
Required telemetry
Targeting ensures each module clearly identifies:
Relevant log sources
Analytical queries
Investigation steps
Expected outputs
9. Threat Hunt Mission Scoping
Once modules have been defined, the overall scope and duration of the mission can be estimated.
Mission scoping provides leadership with visibility into:
Estimated completion timelines
Analytical coverage
Resource requirements
Leadership often seeks answers to key operational questions:
Are we currently exposed to this threat?
How long until the threat hunt is complete?
Do additional resources need to be deployed?
Threat hunt modularization allows teams to provide realistic completion estimates while maintaining analytical rigor.
10. Threat Hunt Mission Time-Boxing
Threat hunt modules enable time-boxed execution, meaning each analytical task is allocated a specific time window for investigation. Concept taken from Sydney Marrone 'When to Stop Hunting'.
Time-boxing allows:
Efficient use of analyst time
Structured mission progress
Dynamic reprioritization if new threats emerge
For example:
If a higher priority threat appears during an ongoing hunt, leadership may decide to:
Pause remaining modules
Re-scope the hunt
Redirect resources to the new threat
This approach balances thorough investigation with operational agility.
11. Threat Hunt Confidence Levels
Threat hunt results should be communicated using confidence levels, which describe the level of analytical coverage achieved. Concept taken from Sydney Marrone 'When to Stop Hunting'.
Common confidence levels include:
Low Confidence
Some queries were executed, but investigation depth was limited.
Example:"Initial queries were executed with no findings."
Medium Confidence
Primary data sources were analyzed but some visibility gaps remain.
Example:"Key data sources were analyzed and no malicious activity was identified. However, coverage gaps exist in specific telemetry areas."
High Confidence
All relevant data sources were analyzed across the full time window and investigative methods were validated.
Example:"All relevant data sources were analyzed across the full investigation period. Detection logic was validated through simulation and no evidence of malicious activity was identified."
Intelligence Confidence Communication
Threat hunt teams should adopt structured confidence terminology commonly used in intelligence analysis when communicating results to leadership.
Using consistent confidence language helps leadership:
Understand investigation completeness
Assess residual risk
Make informed operational decisions.
References
When to Stop Hunting
Comments