Advanced Security #threat-hunting #IOC-vs-IOA #MITRE-ATT&CK #hypothesis-driven

Threat Hunting

5 exercises — master threat hunting vocabulary: proactive vs reactive detection, hypothesis-driven vs intelligence-driven hunting, IOC vs IOA and the Pyramid of Pain, writing TTP-based hunt hypotheses with pivot points, and stacking / baseline deviation / time-series techniques. Plus: how to write a hunt report even when no threat is found.

0 / 5 completed

Threat hunting quick reference

Threat hunting — proactive, human-led: assumes breach and looks for undetected adversary activity. No triggering alert needed.
Hypothesis-driven: hunter formulates a testable theory ("if attacker uses T1003, we'd see X in Y data source"). Intelligence-driven: hunt triggered by a specific threat intel report about an actor's TTPs.
IOC (file hash, IP, domain) — tactical, easy for attacker to change. IOA (attacker behaviour/technique) — strategic, hard to change. ← Pyramid of Pain
Pivot points: parent process, user account, file hash, destination host — artefacts you chase from a suspicious finding to extend the investigation.
Stacking: rank by frequency → low-count outliers = potentially malicious. Baseline deviation: compare current to historical normal. Time-series anomaly: detect sudden spikes/drops (e.g., DNS tunnelling).
Hunt report: include hypothesis, data sources, queries, findings, coverage gaps discovered, and recommended new detection rules. "No evidence found" is a valid and valuable outcome.

1 / 5

A threat analyst explains their team's approach to a new hire: "We don't wait for alerts — we go looking for threats that haven't fired any detections. That's threat hunting. But there's an important difference between hypothesis-driven and intelligence-driven hunting, and both are different from just reacting to alerts."

What is threat hunting, what distinguishes hypothesis-driven from intelligence-driven, and how does it differ from alert-driven detection?

Threat hunting assumes breach and goes looking — the most mature form of proactive defence. The "hypothesis" is the core intellectual contribution of the human hunter.

Comparison: alert-driven vs threat hunting

	Alert-driven (reactive)	Threat hunting (proactive)
Trigger	SIEM rule fires an alert	Hunter-initiated: hypothesis or intel report
Starting assumption	Something suspicious was detected	Adversary may already be present, undetected
Coverage	Only catches threats matching written rules	Can discover novel threats with no existing rule
Output	Alert requiring triage	Confirmed finding OR new detection rule OR "no evidence found"
Analyst level	Tier 1–2	Senior analyst / threat intel specialist

Hypothesis examples:
• "If an APT group has compromised credentials, they may use them in off-hours from an unusual geographic location — let me check for late-night authentications from new countries for our top-privilege accounts."
• "Based on the Lazarus Group report, they use DLL side-loading via legitimate Windows system binaries. Let me hunt for unusual parent-child process relationships involving lsass.exe and winlogon.exe."

Key vocabulary:
• Threat hunting — proactive, human-led search for undetected adversary activity; starts without a triggering alert; assumes breach and looks for evidence
• Hypothesis-driven hunting — hunter formulates a testable theory about how an attacker might behave in the specific environment, then searches data to test it
• Intelligence-driven hunting — hunt triggered by specific threat intel (a new APT report, a known TTP); hunter searches for that exact pattern in the environment
• Hunter mindset — "assume breach" — operating under the assumption that adversaries may already be inside, rather than waiting for proof; drives proactive investigation

2 / 5

During a hunt debrief, a senior analyst says: "We were hunting IOCs — which got us nowhere because this group rotates infrastructure. Next time we should hunt IOAs instead — they're much harder for an attacker to change."

What is the difference between IOC and IOA, why does infrastructure rotation matter, and when is each useful?

The Pyramid of Pain (David Bianco, 2013) captures this perfectly: hash values are easiest to change (bottom); behaviours/TTPs are hardest to change (top). IOCs live at the bottom; IOAs live near the top.

IOC vs IOA comparison:

	IOC	IOA
What it is	Static forensic artefact (IP, domain, hash, registry key)	Behavioural pattern (what the attacker does: technique/tactic)
Level	Tactical — identifies specific known threat	Strategic — identifies what any attacker must do to achieve objective
Attacker evasion	Easy to evade: recompile, change IP, rotate domain	Hard to evade: can't avoid credential dumping if that's your technique
MITRE ATT&CK	Sub-technique indicators (hashes, IPs in threat intel)	Techniques and tactics (T1003, T1078, T1059)
Best used for	Blocking known threats; incident response confirmation	Hunting advanced adversaries; building resilient detections

Key vocabulary:
• IOC (Indicator of Compromise) — a forensic artefact (IP, hash, domain, registry key) indicating a specific past or present compromise; tactical; easily changed by adversaries
• IOA (Indicator of Attack) — a behavioural pattern describing what an attacker is actively doing (technique, tactic); maps to MITRE ATT&CK TTPs; harder for attackers to change
• Infrastructure rotation — an adversary tactic of frequently changing C2 servers, domains, and tool hashes to evade IOC-based detection
• Pyramid of Pain — a conceptual model showing that blocking TTPs (top) is much more costly to the attacker than blocking hash values (bottom)

3 / 5

A threat hunter plans a new hunt based on the MITRE ATT&CK framework. She says: "I'm going to write a hypothesis targeting T1003 (Credential Dumping) and identify my pivot points before I start querying the data."

What does a TTP-based hunt hypothesis look like, and what are pivot points in threat hunting?

A well-formed hunt hypothesis connects: attacker objective → specific technique (MITRE ATT&CK ID) → expected observable signature → specific data source to query → pivot points if something is found. Without this structure, hunting is just searching logs without a direction.

Hunt hypothesis template:
Hunt hypothesis: T1078 — Valid Accounts (Lateral Movement)
Attacker objective: Use legitimate credentials to move laterally through the environment
Observable signature: A user account authenticating to multiple internal hosts within a short time window, accessing hosts the account has not previously accessed, outside normal business hours
Data source: Windows Security Event Log 4624 (successful logon), Azure AD sign-in logs, SIEM authentication timeline
Query: Find accounts with >3 unique lateral authentications to new hosts within 60 min; cross-reference with user's historical host access profile
Pivot points if suspicious event found: (1) Source host — what process initiated the authentication? Parent process? (2) Destination hosts — what services were accessed? Any sensitive data stores? (3) Account — current login from expected location? (4) Timing — does this match a known maintenance window?
MITRE ATT&CK hunt coverage vocabulary:
• "We have detections covering 60% of Initial Access techniques but only 30% of Defense Evasion — that's our priority hunting area."
• "Based on the Midnight Blizzard report, they focus on T1098 (Account Manipulation) and T1134 (Token Impersonation). Let's build hypotheses around both."

Key vocabulary:
• Hunt hypothesis — a testable statement that a specific adversary technique is or may be occurring in the environment; the intellectual starting point of a structured threat hunt
• TTP (Tactic, Technique, and Procedure) — the what/how/specifics of adversary behaviour; TTPs are the most durable threat intelligence because they reflect core adversary methods
• Pivot points — forensic artefacts (parent process, user account, destination IP, file hash) connected to a suspicious finding that enable the hunter to extend the investigation deeper into the attack chain
• MITRE ATT&CK — the industry-standard adversary behaviour framework; each technique (e.g., T1003) maps to specific observable signatures and data sources

4 / 5

A team is reviewing hunting techniques. A senior hunter says: "Our most effective hunt last quarter used stacking to find the outliers. We also use baseline deviation and time-series anomaly analysis — the techniques differ depending on what you're looking for."

What do stacking, baseline deviation, and time-series anomaly analysis mean in a threat hunting context?

Each technique solves a different hunting problem: stacking finds rare outliers; baseline deviation finds subtle long-running anomalies; time-series finds sudden behavioral spikes or changes. A skilled hunter chooses based on the hypothesis.

Technique comparison:

Technique	How it works	Best for detecting
Stacking	Rank field values by frequency; investigate low-frequency outliers	Novel malware, unusual process execution, rare admin tool usage
Baseline deviation	Establish normal metric values per entity; flag statistically unusual values	Low-and-slow attacks, subtle persistence, compromised service accounts
Time-series anomaly	Graph metric over time; identify sudden spikes, drops, or pattern changes	DNS tunnelling, beaconing C2, data exfiltration spikes, lateral movement bursts
Clustering	Group similar entities; find entities that don't fit any cluster	Hosts with unusual configurations; accounts behaving unlike their peers

Stacking example in practice:
Query: "For all PowerShell executions across all endpoints this month, stack the unique command-line templates by frequency." Result: 2,847 instances of standard admin PowerShell commands, 12 instances of a specific encoded command. Those 12 warrant individual review — the majority have an obvious explanation (a deploy script), but 2 are from hosts not involved in any deployment and have no business justification → escalate to incident response.

Key vocabulary:
• Stacking (frequency analysis) — ranking field values by count to find outliers; rare = potentially malicious; exposes attacker activity hidden among high volumes of legitimate events
• Baseline deviation — querying for entities whose current behaviour metrics fall outside their established normal range; detects subtle, persistent threats
• Time-series anomaly — identifying sudden changes in a metric trend over time; useful for beaconing, DNS tunnelling, and exfiltration detection
• Clustering — grouping similar entities by behaviour patterns; outliers that don't fit any cluster may indicate compromise

5 / 5

After completing a two-week threat hunt, the team needs to report findings to the security leadership. The hunt found one suspicious pattern but no confirmed compromise. The hunter says: "We need to write a hunt report. Even 'no evidence found' hunts are valuable — we need to document why."

What should a threat hunt report contain, and how do you communicate "no evidence found" constructively?

"No evidence found" is itself a finding — it tells leadership that either the environment is clean of this technique OR the data coverage has gaps that would prevent detection. Both drive improvement.

Hunt report structure:

Section	Content
Hunt summary	Hypothesis, scope, dates, analysts, environment covered
Data sources & queries	What was searched, specific queries, time ranges, tools used
Findings	Confirmed / Suspicious / Benign — every observation with rationale
Detection gaps	Data sources that were absent or incomplete; visibility blind spots identified
New rule recommendations	Specific detection rules to codify hunt logic; moves from manual to automated
Disposition	"No evidence found" + scope statements; "Confirmed finding — escalating to IR"

Communicating "no evidence found" constructively:
"We found no evidence of T1003 credential dumping activity in the monitored environment during the 14-day hunt window. This hunt identified a significant coverage gap: 35% of endpoints are not forwarding Sysmon process access events to the SIEM, which means we cannot confirm the hypothesis is not occurring on those hosts. We recommend prioritising Sysmon deployment on the remaining endpoints. Additionally, we have produced three new detection rules from this hunt that will monitor lsass.exe access automatically going forward — converting this manual hunt into permanent automated coverage."

Key vocabulary:
• Hunt report — a formal document capturing the hypothesis, methodology, data sources, findings, detection gaps, and new rule recommendations from a threat hunt engagement
• Confirmed finding — a hunt result where suspicious evidence was found and confirmed as genuine attacker activity; requires escalation to incident response
• "No evidence found" — the hunt disposition when no suspicious activity matching the hypothesis was found; valuable as proof of coverage OR as a trigger for gap remediation
• Detection gap — a coverage blindspot identified during a hunt where missing data sources would prevent the hypothesis from being tested; drives log source onboarding and monitoring improvements