top of page
Search

Threat Hunt (TH) Programs Part 3 - Threat Hunting & Cyber Threat Intelligence (CTI)

  • brencronin
  • Mar 15
  • 5 min read

Updated: Mar 15

Threat Hunting & Cyber Threat Intelligence (CTI) - Standard Operating Procedure (SOP)


1. Purpose


This Standard Operating Procedure (SOP) defines the processes for integrating Cyber Threat Intelligence (CTI) into Threat Hunting missions. The objective is to ensure threat hunting activities are informed by relevant intelligence, structured investigative methodologies, and standardized intelligence collection and analysis practices.


Effective integration of CTI into threat hunting improves the organization’s ability to:


  • Identify emerging threats targeting the organization

  • Detect adversary behaviors earlier in the attack lifecycle

  • Develop intelligence-driven threat hunt hypotheses

  • Improve detection engineering and security monitoring capabilities


2. Scope


This SOP applies to:


  • Threat Hunting teams

  • Cyber Threat Intelligence teams (if present)


The procedure covers CTI collection, analysis, storage, and operationalization for Threat Hunt mission planning and execution.


3. Roles and Responsibilities


Threat Hunting Team


Responsible for:


  • Initiating CTI collection for threat hunting missions

  • Analyzing intelligence relevant to the mission

  • Converting CTI insights into threat hunt tasks

  • Developing hypotheses and investigative queries


Cyber Threat Intelligence (CTI) Team (if applicable)


Responsible for:


  • Producing intelligence reports relevant to organizational threats

  • Supporting threat hunters with intelligence analysis

  • Providing threat actor profiles, TTP analysis, and indicators


4. CTI Role in Threat Hunting


Cyber Threat Intelligence (CTI) is a distinct cybersecurity operational discipline from threat hunting but plays a critical role in informing and guiding threat hunting missions.


Organizations may implement CTI integration in different ways depending on operational structure:


Organizations with a Dedicated CTI Team


  • CTI teams may initiate or recommend threat hunts

  • CTI reporting often drives mission targeting

  • Threat hunters consume CTI as a primary data source


Organizations without a Dedicated CTI Team


  • Threat hunters perform CTI collection and analysis themselves

  • Intelligence research becomes part of the threat hunt planning phase


In both cases, CTI provides the intelligence inputs that guide threat hunting missions.


5. CTI Collection During Threat Hunt Mission Planning


CTI collection begins during the Threat Hunt Mission Planning phase, once the mission objective is established. CTI collection occurs concurrently with threat hunt mission scoping, and could impact the threat hunt mission scope depending upon what revealed in CTI from the threat hunt mission.


The depth of intelligence collection will vary depending on the type of threat hunt being conducted.


Threat Hunt Types


Threat hunts commonly fall into one or more of the following categories:


  • IOC-Based Hunts – Searches for known indicators such as IP addresses, domains, and file hashes

  • Binary Abuse Hunts – Analysis of attacker abuse of legitimate binaries

  • APT TTP Hunts – Investigation of adversary tactics, techniques, and procedures

  • Hypothesis-Based Hunts – Hunts built around a structured hypothesis about attacker behavior


6. CTI Collection Process


Step 1 – Intelligence Research and Collection


Threat hunters must conduct initial intelligence research related to the threat hunt mission.

Intelligence sources may include:


  • Open-source intelligence (OSINT)

  • Commercial threat intelligence platforms

  • Advisories

  • Industry threat reports

  • Internal incident reports

  • Security vendor research

  • Threat intelligence feeds


The quality and relevance of collected CTI directly impacts the effectiveness of the threat hunt mission.


Threat Actor Naming Considerations


When researching Advanced Persistent Threat (APT) actors, threat hunters must account for inconsistent naming conventions across CTI vendors.


Multiple intelligence providers often track the same threat actor but assign different names to the group.


Example:


  • Vendor A name

  • Vendor B name

  • Vendor C name


To address this challenge, analysts should use APT naming cross-reference resources that map threat actor aliases across vendors.


One commonly used reference is a shared mapping maintained by the security research community is the 'APT Groups and Operations' online google sheet: https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085



Threat Intelligence Knowledge Frameworks


Threat hunters should leverage standardized intelligence frameworks when analyzing CTI.

MITRE ATT&CK


Threat actor behaviors should be mapped to the MITRE ATT&CK framework, which provides a structured model of adversary tactics and techniques.


7. CTI Storage and Intelligence Repository


Step 2 – Intelligence Storage and Documentation


All intelligence collected for a threat hunt mission must be stored in a centralized and accessible location.


The purpose of this repository is to:


  • Enable collaboration between threat hunters

  • Preserve intelligence used in the investigation

  • Support future threat hunts and detection engineering


Common CTI storage formats include:


  • Intelligence reports (PDF)

  • Security vendor reports

  • Web-based threat research articles

  • Intelligence platform records

  • Structured intelligence repositories


Centralized storage ensures consistent access to mission-related intelligence across the threat hunting team.


8. Intelligence Analysis for Threat Hunting


Step 3 – Intelligence Analysis


Threat hunters must analyze the collected CTI to understand:


  • Threat actor capabilities

  • Attack patterns

  • Tools and infrastructure used

  • Targeting patterns

  • Known exploitation methods


This analysis allows the threat hunter to translate intelligence into actionable investigation tasks.


AI-Assisted CTI Analysis


AI-assisted tools can significantly improve the speed and efficiency of CTI analysis.


AI may assist with:


  • Summarizing intelligence reports

  • Extracting indicators

  • Mapping behaviors to ATT&CK techniques

  • Visualizing attack flows


However, analysts must apply two key precautions:


  1. AI-generated analysis must be validated for accuracy.

  2. Threat hunters must maintain a strong understanding of the intelligence rather than relying solely on AI output.


AI-assisted CTI analysis is a rapidly evolving capability and new tools continue to emerge to support this process.


CTI Analysis Tools


Several tools can assist with translating threat intelligence into threat hunt planning.


Attack Flow Visualization Tools


Tools exist that convert CTI reports into structured attack flow diagrams mapped to ATT&CK techniques.


Example capabilities include:


  • Extracting adversary tactics from CTI reports

  • Generating attack chain visualizations

  • Identifying investigation opportunities


Threat Report ATT&CK Mapping Platforms


Some platforms automate the mapping of CTI reports to ATT&CK techniques to support threat hunting and detection engineering.


These platforms help:


  • Identify relevant adversary techniques

  • Structure investigation strategies

  • Support detection coverage analysis


9. Converting CTI into Threat Hunt Tasks


Step 4 – Operationalizing Intelligence


Once CTI has been collected and analyzed, threat hunters must extract operational data from the intelligence and convert it into threat hunting tasks.


The following elements should be derived from the CTI analysis.


Indicators of Compromise (IOCs)


Examples include:


  • IP addresses

  • Domains

  • URLs

  • File hashes


These indicators can be used in IOC-based threat hunt modules.


Binary Abuse Indicators


Threat intelligence may identify specific binaries commonly abused by the threat actor.


Examples include:


  • Administrative utilities

  • Data transfer tools

  • System management binaries


Threat hunts should analyze:


  • Binary usage patterns

  • Command-line arguments

  • Execution frequency

  • Behavioral anomalies


Binary Abuse Patterns


Threat hunters should identify behavioral patterns of binary usage, including:


  • Unusual execution contexts

  • Suspicious command-line parameters

  • Execution on atypical systems


APT Tactics, Techniques, and Procedures (TTPs)


Threat intelligence often identifies attacker TTPs, such as:


  • Initial access techniques

  • Persistence mechanisms

  • Command and control methods

  • Credential access techniques


These behaviors should be mapped to MITRE ATT&CK techniques and used to design TTP-based threat hunts.


Hypothesis Development


Threat hunters should develop investigative hypotheses based on intelligence findings.


Example hypothesis:


"If this threat actor targeted organizations similar to ours using credential dumping and remote administration tools, similar activity may exist in our environment."

Hypothesis-based hunts then test these assumptions using available telemetry.


References



MISP Galaxy


FlowViz - Attack Flow Visualizer


Threat Report ATT&CK Mapper (TRAM)


Cyber Threat Intelligence Diamond model:


Intelligence Failure in Threat Detection


Breaking the Defender’s Dilemma: Why ACH is the Future of Threat Hunting and Detection Engineering


 
 
 

Recent Posts

See All
Kusto KQL - Part 3A - Scalars and String Predicates

Diving into Scalars & String Predicates in KQL Now that we’ve covered how to view table schemas, perform basic searches, and filter logs by time, it’s time to go deeper into scalar operations and stri

 
 
 

Comments

Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2021 by croninity. Proudly created with Wix.com

bottom of page