--- name: threat-hunting-intelligence description: Conduct proactive threat hunting operations and manage threat intelligence programs to identify hidden threats, advanced persistent threats (APTs), and emerging attack techniques before they cause damage. Use when developing threat hypotheses, conducting hunts across endpoint/SIEM/network data, managing threat intelligence feeds, mapping coverage to MITRE ATT&CK, developing custom detection rules, or establishing a threat hunting program. Triggers on phrases like "threat hunting", "threat intelligence", "THREAT intel", "IOCs", "IOAs", "TTPs", "MITRE ATT&CK", "hypothesis-driven hunting", "APThunt", "adversary emulation", "custom detection", "hunting query", "intelligence-led security", "threat feed". --- # Threat Hunting & Intelligence Proactive security operations program for identifying hidden threats through hypothesis-driven hunting, intelligence-led detection, and systematic coverage analysis against the MITRE ATT&CK framework. ## Workflow 1. Establish threat hunting program: define team (dedicated hunters vs. shared analyst responsibility), schedule (weekly hunting sessions), scope (endpoints, network, cloud, identity), tools (EDR, SIEM, network telemetry, threat intelligence platforms). 2. Develop threat intelligence program: subscribe to threat feeds (commercial + open-source); establish intel collection, processing, analysis, and distribution (IPAD) cycle; integrate intelligence into detection rules. 3. Map current detection coverage to MITRE ATT&CK: identify detected techniques, partially detected techniques, and undetected techniques; prioritize coverage gaps by likelihood and impact. 4. Develop hunt hypotheses: based on threat intelligence, ATT&CK gaps, internal data analysis, industry-specific threats, and emerging TTPs; each hypothesis has a clear question, data sources, and expected findings. 5. Execute hunt: query relevant data sources (EDR, SIEM, network, cloud); analyze results; identify anomalies and potential indicators of compromise; escalate confirmed findings to incident response. 6. Document hunt: record hypothesis, methodology, queries, findings, and outcomes; update detection rules based on findings; update ATT&CK coverage map. 7. Develop custom detections: convert hunt queries into automated SIEM/EDR alerts; test detection rules for accuracy; deploy to production monitoring. 8. Share intelligence: distribute IOCs and TTPs to security team; update blocking rules (firewall, email gateway, DNS sinkhole); brief leadership on hunt findings quarterly. 9. Participate in threat intelligence sharing: ISACs (Information Sharing and Analysis Centers), MISP communities, industry forums; contribute anonymized findings. 10. Measure hunting program effectiveness: hunts conducted, findings identified, detections created, mean time to detect improvement, ATT&CK coverage improvement; quarterly program review. ## Threat Hunting Methodology ``` THREAT HUNTING METHODOLOGY FRAMEWORK ====================================== HUNT TYPES: 1. Intelligence-Driven Hunting: → Trigger: New threat intelligence (IOC, TTP, campaign report) → Example: "Threat actor APT29 using LOLBin 'wmic.exe' for persistence" → Data Sources: EDR (process execution logs), SIEM (Windows Event Logs) → Queries: Search for wmic.exe processes with suspicious command-line args → Outcome: Identify any matching activity; if found → incident investigation 2. Hypothesis-Driven Hunting: → Trigger: Security analyst hypothesis based on knowledge and data patterns → Example: "If an attacker gained domain admin, they would enumerate all computers via LDAP" → Data Sources: SIEM (LDAP query logs), Active Directory logs, network flows → Queries: Unusual LDAP queries (large result sets, queries for sensitive attributes) → Outcome: Identify reconnaissance activity; correlate with authentication events 3. Data-Driven Hunting: → Trigger: Anomalous patterns discovered through data analysis → Example: "30% increase in PowerShell usage from server workstations" → Data Sources: EDR (process creation), SIEM (script block logs), network (DNS queries) → Queries: PowerShell execution baseline vs. current; statistical outlier detection → Outcome: Identify anomalous behavior; investigate root cause 4. ATT&CK Coverage-Driven Hunting: → Trigger: MITRE ATT&CK technique with no detection coverage → Example: "We don't detect T1071 (Application Layer Protocol) for C2" → Data Sources: Network flows, DNS logs, proxy logs, EDR network connections → Queries: HTTP/S traffic to unusual ports; DNS queries to rare TLDs; reverse DNS anomalies → Outcome: Find undetected C2 channels; create detection rule for the technique HUNTING LIFECYCLE: Phase 1: Preparation (30-60 Minutes) → Define hypothesis: Clear, testable statement Format: "IF [threat behavior] THEN [observable evidence] IN [data source]" → Identify data sources: Which logs, telemetry, feeds to query? → Develop queries: Draft search queries for each data source → Define scope: Time range, hosts, users, networks in scope → Set expectations: What constitutes a finding vs. normal activity? Phase 2: Detection (1-2 Hours) → Execute queries across data sources → Filter results: Remove known good activity (baseline, exclusions) → Identify anomalies: Patterns that deviate from normal behavior → Correlate findings: Cross-reference multiple data sources → Prioritize: Rank findings by severity and confidence Phase 3: Investigation (1-4 Hours) → Deep-dive into high-priority findings → Gather context: User, host, network, timeline, related activity → Determine: True positive, false positive, or needs more investigation → If confirmed threat: Escalate to incident response → Document: All investigation steps and findings Phase 4: Analysis and Response (1-2 Hours) → Root cause analysis for confirmed findings → Scope assessment: How many hosts/users affected? → Containment recommendations: Immediate actions to limit impact → Detection improvement: Create automated detection for the finding → Intelligence enrichment: Add IOCs to threat intelligence platform Phase 5: Reporting and Feedback (30-60 Minutes) → Hunt report: Hypothesis, methodology, findings, recommendations → Detection deployment: Push new detection rules to SIEM/EDR → ATT&CK update: Update coverage map with new detections → Team briefing: Share findings and learnings with security team → Feed back into planning: Identify new hypotheses from findings HUNTING PRIORITIZATION MATRIX: Score = Likelihood (1-5) × Impact (1-5) × Detection Gap (1-3) Likelihood: How likely is this threat to target our organization? 1: Very unlikely (not in our sector, not geographically relevant) 2: Unlikely (limited reports, sophisticated attacker unlikely to target us) 3: Possible (some sector relevance, capability within reach of common actors) 4: Likely (active threat to our sector, multiple reports, known targeting) 5: Very likely (active campaign against our industry, low barrier to entry) Impact: What is the potential impact if this threat succeeds? 1: Negligible (no sensitive data, easily contained) 2: Minor (limited data exposure, minimal business impact) 3: Moderate (customer data at risk, operational disruption possible) 4: Major (significant data breach, major business disruption) 5: Critical (existential threat, regulatory consequences, reputation destruction) Detection Gap: How well are we currently detecting this? 1: Well covered (multiple detections, tested and validated) 2: Partially covered (some detections, but gaps identified) 3: Not covered (no detection for this technique/TTP) ``` ## Threat Intelligence Management ``` THREAT INTELLIGENCE PROGRAM ============================= INTELLIGENCE TYPES: Strategic Intelligence (Executive Level): → Overview of threat landscape for the organization → Threat actor profiles and motivations → Industry-specific threats and trends → Risk assessment and recommendations → Distribution: Quarterly briefings to executive leadership and board → Sources: Commercial threat reports, government advisories, industry analysis Operational Intelligence (Security Operations): → Active threat campaigns targeting sector or organization → Attacker TTPs (Tactics, Techniques, Procedures) → Campaign infrastructure (C2 servers, phishing domains, malware droppers) → Vulnerability exploitation trends (zero-days, N-day exploits) → Distribution: Weekly briefings to security operations team → Sources: Threat intelligence platforms, ISACs, open-source intelligence Tactical Intelligence (Detection Engineering): → IOCs (Indicators of Compromise): IPs, domains, URLs, file hashes, email addresses → IOAs (Indicators of Attack): Behavioral patterns, TTP mappings → Detection rules and signatures (Sigma, YARA, Suricata, Snort) → Hunting queries (KQL, SPL, FQL, SQL-based) → Distribution: Real-time to SIEM/EDR/SOAR; daily to detection engineers → Sources: Threat feeds, MISP instances, commercial platforms, custom research Technical Intelligence (Incident Response): → Malware analysis reports (behavior, capabilities, family classification) → Exploit details (vulnerability, payload, exploitation method) → Forensic artifacts (registry keys, file paths, mutex names) → Attribution information (threat actor group, nation-state affiliation) → Distribution: On-demand to incident response team → Sources: Sandbox analysis, reverse engineering, threat intelligence sharing INTELLIGENCE COLLECTION SOURCES: Open-Source Intelligence (OSINT): → AlienVault OTX (Open Threat Exchange): Free IOC sharing community → Abuse.ch: Malware URLs, phishing domains, botnet C2 tracking → VirusTotal: File and URL analysis; community reputation → MITRE ATT&CK: Technique database with examples and mitigations → CISA Known Exploited Vulnerabilities catalog: Prioritized patch guidance → HackerNews, security blogs: Emerging threat awareness → GitHub: Security tools, detection rules, threat actor repositories Commercial Threat Intelligence: → Recorded Future: Real-time threat intelligence; dark web monitoring → ThreatConnect: Intel platform; IOC management; collaboration → Anomali: Intel platform; automated threat analysis; enrichment → CrowdStrike Intel: Global threat intelligence from Falcon sensor network → Microsoft Threat Intelligence: From Defender, Sentinel, and Microsoft 365 telemetry → Google Threat Intelligence: From Chrome, Android, G Workspace, and Gmail telemetry Information Sharing and Analysis Centers (ISACs): → US-ISAC: Multi-sector information sharing (US organizations) → FS-ISAC: Financial services sector → HS-ISAC: Healthcare sector • ES-ISAC: Energy sector → Auto-ISAC: Automotive sector → Benefits: Peer-to-peer intel sharing; early warning; best practices Government Sources: → CISA Alerts and Advisories: US Cybersecurity and Infrastructure Security Agency → NSA Cybersecurity Advisories: National Security Agency → FBI Cyber Updates: Federal Bureau of Investigation → ENISA Threat Landscape: European Union Agency for Cybersecurity → NCSC (UK): National Cyber Security Centre advisories → APAC-CSC: Asia-Pacific Cyber Security Center INTEL PROCESSING AND DISTRIBUTION (IPAD CYCLE): Collection → Processing → Analysis → Dissemination → Feedback 1. Collection: Automated ingestion from feeds, manual research, ISAC sharing 2. Processing: Normalize IOCs; enrich with context (geo, ASN, reputation, WHOIS) 3. Analysis: Assess relevance to organization; assign confidence and priority 4. Dissemination: Push to appropriate consumers (SIEM, firewall, email gateway, analysts) 5. Feedback: Track IOC effectiveness (how many alerts generated; how many true positives) ``` ## MITRE ATT&CK Coverage Mapping ``` MITRE ATT&CK COVERAGE ASSESSMENT =================================== COVERAGE LEVELS: Detected (Green): → Automated detection in place (SIEM rule, EDR detection, network alert) → Detection tested and validated (confirmed with ATT&CK technique simulation) → Alert routed to appropriate team with defined response procedure Partially Detected (Yellow): → Detection exists but has gaps (specific sub-techniques not covered) → Detection has high false positive rate (alerts exist but rarely actionable) → Detection exists in one data source but not others (EDR yes, network no) Not Detected (Red): → No automated detection for this technique → Technique has not been evaluated for detectability → Detection attempted but failed (insufficient telemetry, noisy data) Not Applicable (Gray): → Technique not relevant to organization's environment → Technique mitigated by architecture (e.g., no Windows = no PowerShell techniques) → Technique blocked by controls (e.g., MFA blocks credential dumping impact) EXAMPLE COVERAGE ASSESSMENT (SELECTED TECHNIQUES): TA0001 — Initial Access: → T1566 Spearphishing Attachment: Detected (email gateway + EDR) ✓ → T1566 Spearphishing Link: Detected (email gateway + web proxy) ✓ → T1190 Exploit Public-Facing Application: Partially detected (WAF alerts, but no deep app analysis) ⚠️ → T1133 External Remote Services: Not detected (no VPN anomaly detection) ❌ → T1190 Supply Chain Compromise: Not detected ❌ TA0002 — Execution: → T1059 Command and Scripting Interpreter: Detected (EDR PowerShell/Python/Bash monitoring) ✓ → T1204 User Execution: Partially detected (EDR tracks file opens but not all user interactions) ⚠️ → T1106 Native API: Not detected ❌ → T1122 System Script Interpreter: Detected (EDR JS/VBScript monitoring) ✓ TA0003 — Persistence: → T1547 Boot or Logon Autostart Execution: Detected (EDR registry/file monitoring) ✓ → T1053 Scheduled Task/Job: Detected (EDR scheduled task monitoring) ✓ → T1136 Domain Account: Not detected (no AD account creation anomaly detection) ❌ → T1543 Create or Modify System Process: Detected (EDR service creation monitoring) ✓ TA0004 — Privilege Escalation: → T1548 Abuse Elevation Control Mechanism: Detected (EDR UAC bypass detection) ✓ → T1134 Access Token Manipulation: Partially detected (EDR detects some token manipulation) ⚠️ → T1068 Exploitation for Privilege Escalation: Not detected ❌ TA0005 — Defense Evasion: → T1070 Indicator Removal: Detected (EDR log clearing detection) ✓ → T1027 Obfuscated Files: Partially detected (EDR detects some obfuscation, not all) ⚠️ → T1620 Reflective Code Loading: Not detected ❌ TA0007 — Discovery: → T1082 System Information Discovery: Detected (EDR system info command monitoring) ✓ → T1057 Process Discovery: Detected (EDR tasklist/ps monitoring) ✓ → T1482 Domain Trust Discovery: Not detected (no AD trust enumeration monitoring) ❌ TA0009 — Collection: → T1115 Clipboard Data: Partially detected (EDR detects clipboard access by some processes) ⚠️ → T1113 Screen Capture: Not detected ❌ → T1075 Email Collection: Detected (email gateway + DLP) ✓ TA0011 — Command and Control: → T1071 Application Layer Protocol: Detected (network anomaly detection) ✓ → T1573 Encrypted Channel: Partially detected (TLS inspection for known protocols) ⚠️ → T1090 Proxy: Not detected ❌ → T1102 Web Service: Detected (DNS + HTTP anomaly detection) ✓ TA0010 — Exfiltration: → T1041 Exfiltration Over C2 Channel: Detected (DLP + network anomaly detection) ✓ → T1048 Exfiltration Over Alternative Protocol: Partially detected (DLP covers some protocols) ⚠️ → T1567 Exfiltration Over Web Service: Detected (DLP + cloud access broker) ✓ TA0012 — Impact: → T1486 Data Encrypted for Impact: Detected (EDR file encryption detection + ransomware detection) ✓ → T1490 Ingress Tool Transfer: Detected (EDR tool download detection) ✓ → T1491 Defacement: Not detected ❌ COVERAGE IMPROVEMENT PLAN: Priority 1 (Not Detected + High Likelihood): → T1133 External Remote Services: Deploy VPN anomaly detection → T1136 Domain Account: Deploy AD account monitoring in SIEM → T1482 Domain Trust Discovery: Enable AD trust enumeration logging Priority 2 (Partially Detected + High Impact): → T1027 Obfuscation: Improve EDR obfuscation detection rules → T1048 Exfiltration: Expand DLP to cover alternative protocols → T1573 Encrypted Channel: Deploy TLS inspection for internal traffic Priority 3 (Not Detected + Moderate Likelihood): → T1190 Supply Chain: Deploy software bill of materials (SBOM) monitoring → T1620 Reflective Code Loading: Deploy advanced memory scanning → T1106 Native API: Deploy kernel-level monitoring ``` ## Integration Points - **MITRE ATT&CK Navigator**: Interactive coverage mapping; heat maps; layer sharing; gap identification; free tool for visualizing detection coverage - **MISP (Malware Information Sharing Platform)**: Open-source threat intelligence platform; IOC sharing; automated enrichment; API integrations; self-hosted or commercial (MISP Enterprise) - **Splunk Enterprise Security**: Threat intelligence integration; ATT&CK mapping; automated investigation; custom hunt playbooks; correlation search management - **Microsoft Sentinel**: Built-in ATT&CK mapping; hunting queries; threat intelligence connectors; workbooks for coverage visualization; KQL hunting language - **CrowdStrike Threat Graph**: Global threat intelligence; TTP mapping; threat actor profiles; ATT&CK technique examples; hunting via FQL - **Recorded Future**: Real-time threat intelligence API; domain/IP reputation; dark web monitoring; vulnerability intelligence; integrates with SIEM/SOAR - **Elastic Security**: ATT&CK coverage dashboard; threat hunting workbench; custom detection rules (EQL, Sigma); free tier available - **Atomic Red Team**: Open-source attack simulation library; 2,500+ tests mapped to ATT&CK; validate detection coverage; run on Windows/Linux/macOS ## Edge Cases - **Small security teams (1-3 analysts)**: Cannot dedicate full-time hunters; solution: scheduled hunting blocks (4 hours/week); leverage automated hunting tools (EDR auto-investigation); focus on high-value intelligence-driven hunts; use open-source tools (Atomic Red Team for validation) - **Cloud-native environments**: Traditional endpoint/network hunting not sufficient; solution: cloud workload detection (CWPP); cloud trail analysis; container runtime security; serverless function monitoring; cloud-native threat hunting (AWS GuardDuty, Azure Defender, GCP Security Command Center) - **Insufficient telemetry**: Cannot hunt what you cannot see; solution: deploy comprehensive logging (EDR, SIEM, network); enable detailed audit logging (Windows, Linux, cloud); implement cloud trail logging; prioritize telemetry based on ATT&CK detection requirements - **Alert fatigue reducing hunting value**: Too many alerts mask real threats; solution: focus hunting on low-and-slow activity (not covered by alerts); hunt for TTPs not IOCs; use statistical analysis to find anomalies; suppress known noise before hunting - **Cross-border threat intelligence sharing**: Legal restrictions on sharing intel internationally; solution: share only anonymized IOCs; comply with data protection laws; use ISACs for regulated sharing; verify legal framework before sharing detailed intelligence - **Advanced threat actors with anti-detection**: Threat actors specifically designed to avoid detection; solution: hunt for behavioral anomalies not specific indicators; focus on TTPs not IOCs; use memory analysis; monitor for living-off-the-land binaries (LOLBins); threat simulation with Caldera - **Threat intelligence quality varies**: Not all feeds are equally reliable; solution: score intel sources by historical accuracy; prioritize high-confidence feeds; validate IOCs before blocking (avoid blocking legitimate sites); track IOC effectiveness (alerts generated vs. true positives)