Threat Hunt (TH) Programs Part 5 - Mission Execution
- brencronin
- 5 hours ago
- 6 min read
Threat Hunt Mission Execution SOP
1. Purpose
This Standard Operating Procedure (SOP) establishes the standardized process, roles, responsibilities, and operational expectations governing the execution phase of Cyber Threat Hunt missions. It is designed to ensure consistency, analytical rigor, and operational effectiveness across all threat hunting activities conducted by the Security Operations Center (SOC) Threat Hunt team.
2. Scope
This SOP applies to all personnel participating in Threat Hunt missions, including Threat Hunters, Threat Hunt Leads, and SOC analysts who interface with the hunt team during escalations or investigations. It covers all activities from the transition into mission execution through module completion and escalation procedures.
3. Roles and Responsibilities
Threat Hunt Mission Planner / Lead Threat Hunter
Responsible for:
Assigning Threat Hunt modules to individual hunters at the start of each mission.
Maintaining awareness of overall mission progress via the Threat Hunt tracker.
Serves as the primary point of contact for hunter questions, fielding all inquiries through the designated mission communication channel.
Coordinates with the SOC when a suspicious finding warrants initiation of a formal investigation.
Reviews and approves module completion entries in the Threat Hunt tracker.
Threat Hunting Team Members
Responsible for:
Execute assigned Threat Hunt modules in accordance with this SOP.
Develop, upload, and document all SIEM queries in the central Threat Hunt tracker.
Perform environmental baselining to identify normal administrative usage patterns and distinguish them from anomalous activity.
Mark modules as complete in the tracker upon finishing analysis, recording the precise time of completion.
Escalate questions to the Threat Hunt Lead via the mission channel; continue productive work on other modules while awaiting clarification.
Immediately notify the Threat Hunt Lead via the mission channel if a suspicious finding is identified that may warrant investigation.
SOC Analysts
Responsible for:
Receive and acknowledge escalations from the Threat Hunt team.
Initiate and manage formal investigations into escalated findings.
Coordinate with system administrators and relevant data owners to determine the nature of escalated anomalies.
Classify escalated findings as a true security incident, benign positive related to administrative activity, or an identified gap in security control coverage.
Cyber Threat Intelligence (CTI) Analysts (if applicable)
Responsible for:
Providing threat intelligence related to the hunt
Supporting intelligence analysis and actor profiling
Assisting in developing threat hunt hypotheses
Threat Hunt Module Types
At mission start, the Threat Hunt Lead assigns one or more modules to each hunter. Modules define the analytical focus area, the type of queries to be developed, and the depth of investigation required. The following module types are currently in use:
Module Type | Description |
IOC Analysis | Sweep for IOCs and load IOCs into CTI tools for future detections |
Binary Analysis | Examination of suspicious or potentially malicious binaries identified within the environment, including hash analysis, behavioral review, and correlation against threat intelligence. |
TTP (Tactics, Techniques & Procedures) | Analysis focused on known adversary tactics, techniques, and procedures, typically mapped to the MITRE ATT&CK framework. Hunters search for behavioral indicators of specific attack techniques. |
APT (Advanced Persistent Threat) | Hunt modules targeting indicators, behaviors, and infrastructure associated with known APT groups. These modules often involve complex multi-stage query logic and threat intelligence correlation. |
Advanced (Custom Queries) | Bespoke, complex hunt queries developed by experienced hunters for targeted investigations. These modules may involve novel detection logic not covered by standard frameworks. |
The complexity of analysis and time required for completion varies by module type. Advanced and APT modules typically demand greater depth, extended query iteration, and more comprehensive documentation than standard TTP modules.
Mission Execution Procedures
Module Assignment
At the outset of each mission, the Threat Hunt Lead assigns specific modules to each hunter and communicates assignments through the designated mission channel and the Threat Hunt tracker.
Hunters acknowledge receipt of their assigned modules and confirm understanding of scope and objectives before beginning analysis.
Because Threat Hunters are involved in Threat hunt mission research and mission planning phases it is common to assign a primary threat hunter for the entirety of the threat hunt mission, and a backup threat hunter for the mission.
Any concerns about scope, resource constraints, or technical requirements must be raised with the Threat Hunt Lead before execution begins.
Query Development and Upload
Threat Hunters develop all SIEM queries necessary to support their assigned module, including queries for detection, baselining, and anomaly identification.
All queries must be uploaded to the central Threat Hunt tracker prior to or immediately upon execution to ensure transparency, reproducibility, and peer review capability.
Query documentation must include the purpose of the query, the targeted data sources, and the hypothesis or behavioral indicator being tested.
Environmental Baselining and Analysis
Hunters execute their queries within the SIEM environment and analyze results in the context of established environmental baselines.
Hunters are required to baseline the data in the environment to determine normal administrative usage patterns. These patterns must be documented within the Threat Hunt tracker.
Where normal administrative usage patterns can be reliably defined and documented, hunters should identify opportunities to codify those patterns into SIEM detection rules to reduce future benign or false positive rates.
Any deviation from established baselines must be assessed to determine whether it represents benign administrative activity or potentially malicious behavior.
Module Completion and Tracker Updates
Upon completing analysis for a given module, the Threat Hunter updates the Threat Hunt tracker to reflect the module status as complete.
The time of completion must be recorded to enable mission progress tracking and workload reporting by the Threat Hunt Lead.
If a module yields no findings of note, the hunter documents a negative result with supporting rationale. Negative results are a valid and important mission outcome.
NOTE: Completion tracking enables the Threat Hunt Lead to monitor mission velocity, identify bottlenecks, reallocate resources as needed, and ensure all modules are addressed within the mission timeframe. |
Communication and Escalation Protocols
Handling Questions During Threat Hunt Mission Execution
If a Threat Hunter encounters questions or ambiguities during analysis, the following protocol applies:
The hunter submits the question to the Threat Hunt Lead via the established mission communication channel. Questions must not be raised through informal or out-of-band channels.
If the Threat Hunt Lead is temporarily unavailable due to other mission duties, the hunter must not stop work and wait idle. The hunter should transition to a different assigned module or, if no other modules are available, work on another active Threat Hunt mission until the Lead can respond.
Upon receiving clarification, the hunter resumes the original module and documents any impact to methodology or scope in the tracker.
NOTE: Hunters must never allow unanswered questions to create idle time. Efficient, continuous use of mission hours is a core operational expectation. |
Suspicious Finding Escalation
If a Threat Hunter identifies activity that is suspicious and potentially warrants formal investigation, the following escalation process must be followed:
The hunter immediately notifies the Threat Hunt Lead via the mission communication channel. The notification must include a summary of the anomaly, relevant query output, affected systems or accounts, and the hunter's preliminary assessment.
The Threat Hunt Lead reviews the finding and determines whether escalation to the SOC is warranted.
If escalation is warranted, the Threat Hunt Lead contacts the SOC to initiate a formal investigation. The SOC analyst works with system administrators and other data owners to determine whether the activity represents a true security incident, a benign positive related to administrative activity, or an identified gap in security controls.
All escalation activity, SOC notifications, and investigation outcomes are documented in both the Threat Hunt tracker and the SOC incident management system.
Detection Engineering Integration
Threat Hunt missions serve a dual purpose: active threat identification and continuous improvement of the organization's detection posture. Hunters must remain attentive throughout execution to opportunities that can strengthen detection coverage.
When normal administrative usage patterns are identified and documented, hunters should evaluate whether those patterns can be codified into SIEM detection rules to reduce future false positive rates and improve alert fidelity.
When anomalies or suspicious behaviors are identified that do not yet have corresponding detection rules, hunters should document them as detection rule candidates in the Threat Hunt tracker for handoff to the detection engineering function.
When gaps in security controls or monitoring coverage are identified during a hunt, whether or not related to a suspicious finding, these must be documented and escalated through the appropriate security engineering or architecture remediation process as well as the threat hunt mission report.
All detection rule candidates and control gap findings are formally handed off at the conclusion of the mission.
Comments