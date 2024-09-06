A threat hunting framework enables security teams to quickly ingest new threat intelligence, such as current indicators of compromise and tactics, techniques, and procedures, formulate these into queries across the relevant systems and network space, and centrally analyze results that might warrant further investigation or response.

More organizations than ever are adopting threat hunting models and frameworks to help guide their security operations and investigations teams when looking for suspicious and malicious behavior in their environments. There are several reasons threat hunting has grown in prominence as a core practice, including the security community's better understanding of attacker behaviors and attack indicators, improved sharing of threat intelligence and the maturity of tools that facilitate hunting at scale through granular queries, such as endpoint detection and response ( EDR ).

Threat hunting methodologies

As the concept of threat hunting has taken hold in the security community, numerous methodologies have been released that will help security teams build an effective threat hunting program. Here are some of the most prevalent.

Sqrrl Threat Hunting Reference Model

Created in 2015, Sqrrl is still widely regarded as one of the most influential in early-stage threat hunting strategies. As much a philosophy as it is a framework, Sqrrl created the first hunting process loop with the following phases:

Generate a hypothesis. This hypothesis will likely be related to the events occurring and how/where they occurred.

Investigate using threat hunting tools and techniques.

Look for any attack patterns and TTPs.

Use evidence (or lack thereof) to inform and enhance investigations.

Targeted Hunting integrating Threat Intelligence (TaHITI)

The TaHiTI framework aims to more readily combine threat intelligence and threat hunting into a single model. This model builds on the Sqrrl model by generating new threat intelligence from hunting activities, which then feeds back into the threat intelligence feed for adversary analysis and hunting exercises. Taking active threat hunting feedback and performing correlation through automation tools, analytics and machine learning techniques is now a mainstay of threat hunting models, largely due to TaHiTI.

Prepare, Execute and Act with Knowledge (PEAK)



The PEAK threat hunting methodology expands threat hunting with three different hunting models:

Hypothesis-driven.

Anomalies compared against a baseline.

Threat hunting based on models.

This model also focuses heavily on statistical analysis and data categories, as well as event times and aggregation of event time analysis.

The Open Threat Hunting Framework (OTHF)

OTHF is a newer project that expands threat hunting frameworks to also include governance, staffing, data types and use cases when hunting for threats, and finite tactical recommendations for operationalizing and performing threat hunting in an organization.

Mitre ATT&CK

Most in the industry are familiar with the Mitre framework, which can help to inform adversary tactics and common threat models while hunting for IoCs and TTPs. While not necessarily prescriptive, ATT&CK can act as a backdrop to any and all other threat hunting activities when looking for behaviors and common attacker actions.

Threat hunting methodologies often align with ancillary projects, such as the IoC-TTP Pyramid of Pain by David Bianco to help define criticality and priority on detection scenarios too.