The sources for hunts and how to prioritise

An important aspect of threat hunting is the creation and the prioritisation of hunting hypotheses. You want to avoid spending your valuable time into investigations that yield little result. Prioritisation can be used in two areas: the creation of new hunting hypotheses, and assigning priorities to the hypotheses on your backlog—assuming that you are storing ideas for hunts on a backlog.

The creation of hunts and prioritisation are cyclic processes. Executed hunts will lead to new insights influencing the creation process for new hunts. And when surrounding circumstances change a re-prioritisation of hunts on the backlog may be required.

In this blog, I will use the term hunt to refer to both hunting hypotheses and ideas (which require extra work to become a hypothesis).

Zero priority

Before I go into the sources for hunts and the factors that play a role in the prioritisation, I wish to describe a basic rule: hunts that are linked to the bottom of the Pyramid of Pain have zero priority. That does not mean that they have no value, because they do. In a previous blog I explained why:

The TaHiTI threat hunting methodology focuses only on the top 3 layers of the pyramid and also states that hunting on the lower layers is not considered to be threat hunting. But why are the lower thee layers far less interesting for threat hunting? Hunting on the lower 3 layers will not yield high value in hunting investigation. The simple reason is that lower layers are based on information from past targeted attacks and wide scale global threat actor campaigns. This information includes known bad domain names, IP addresses and hashes.

The source of this information comes from attacks that have already been carried out. Therefore, the chances are very small that this information will uncover targeted attacks against your company. This does not mean that checks on these lower layers should not be done. They should be automated where possible and where it makes sense.

The sources for hunts

Where are ideas for hunts coming from? In other words, which sources are available for hunts? In the next chapter on prioritisation, we will make use of some of these sources:

  • Results from red and purple teaming

  • Threat intelligence

  • Historical security incidents

  • Crown jewel analysis

  • Domain expertise

  • MITRE ATT&CK®

  • Threat hunting

Results from red and purple teaming

Red and purple team exercises can uncover attacker behaviours that were not well (or not at all) detected. In both types of these exercises, the identified attacker behaviours are excellent candidates for the creation of hunts because they are successful against your company.

Threat intelligence

For the creation of hunts, threat intelligence should provide information on attacker behaviours which are relevant for your company. It is often beneficial to have this information on the level of a procedure (TTP) and not only on the technique itself (TTP). Depending on the technique, the latter is not always sufficient. Having this information communicated, if possible, using the ATT&CK framework ensures a standard and structured way of communicating attacker behaviours.

There is much more to be said about threat intelligence as a source for hunts, and how to use it to guide your blue teaming efforts. Therefore it is more suitable for a separate blog.

Historical security incidents

Similar to results from red teaming exercises. Historical security incidents can uncover specific attacker behaviours that are successful against your company. Make sure you have insight into this information. For example, by tagging security incidents which showed a gap in the detection. After which you can periodically discuss these incidents with the involved incident handlers.

Crown jewel analysis

The results from crown jewel analysis (i.e. an asset with a high impact on the business when compromised) are used to create hunts. Crown jewel analysis requires close collaboration with other teams to uncover possible attack paths. These paths are used to develop new hunts, which are more specific to how your company has organised its IT infrastructure concerning technology and processes.

Domain expertise

Hunts based on domain expert knowledge can be gained from different places or sub-sources:

  • From members of the threat hunting team.

  • IT professionals within your company and by sitting together with other teams to combine expertise from different domains.

  • The public domain. Such as third party research, blogs, Twitter and white papers.

  • From hunters within other organisations by exchanging ideas one on one, or by sitting together in a knowledge exchange meeting.

MITRE ATT&CK®

The ATT&CK framework provides a valuable resource for attacker behaviours and thereby the creation of hunts. But, which technique are you going to hunt on? The DeTT&CT framework will be of good help here. Make use of threat intelligence to help to answer the question of which techniques are the most relevant for your company.

Although the following is not only applicable to ATT&CK, it can provide great value to combine techniques, where necessary, to achieve better results from your hunting investigation. This approach allows you to create an attack scenario by combining (sub)-techniques on a procedure or technique level (TTP). You can also be more creative by including behaviour(s) not part of ATT&CK, and thereby introducing non-ATT&CK behaviour(s) derived from an adversarial tactic (TTP).

There is so much more to be said on ATT&CK. I will mention some others only briefly to prevent this from becoming an ATT&CK blog:

  • Certain ATT&CK techniques are very noisy when looked at in isolation.

  • ATT&CK and its techniques should not be used as a checklist. There are several nuances to take into account. That is not to say it has great value to estimate your current level of detection using the ATT&CK Matrix.

Threat hunting

While performing a threat hunting investigation, you may come up with new insights that translate into new hunts. Add these new hunting ideas to the backlog.

Prioritisation factors

The purpose of the prioritisation factors is to decrease or increase the priority of a hunt. An increasing factor should not give it a top priority or in the other case zero priority. It will influence the final priority. Also, it could be the case that a hunt has both matches in increasing and decreasing factors. These factors are meant to guide you and should not be used within any form of calculation. Some factors have more weight than others, depending on the hunt and the surrounding circumstances.

  • Level of detection
    The level of detection for the attacker behaviour that is part of the hunt is considered to be good (lowering the priority) or poor (increasing the priority). Therefore, the probability that the execution of the hunt will provide valuable results is lower or higher and affects the priority.

  • Required time/resources and expected result
    This will cause lowering the priority when the required time/resources are high and the possible outcome leads to a minimal result. The priority is increased when the hunt is low on time/resources and possibly leads to a quick result.

  • The risk associated with the hunt

    When the risk associated with the hunt is estimated to be low, it will decrease the priority. Otherwise, when it is considered to be a high risk, it will increase the priority.

  • Trend in the usage of the attacker behaviour

    The attacker behaviour that is part of the hunt can have a notable upward (increasing the priority) or downward trend (lowering the priority) in the usage by threat actors and thereby affecting the priority of the hunt.

    Although this may sound obvious. A downtrend in the usage does not mean you will not encounter that particular attacker behaviour, just that you will see it less frequent.

  • Source = crown jewel analysis and overall detection coverage is insufficient

    Knowledge on past breaches tells us that generic attacker behaviours (i.e. not specific to a crown jewel) play a crucial role in the attack path to a company’s crown jewel. When your overall detection coverage is considered insufficient, it may be wiser to execute hunts that cover a larger area of the company’s IT infrastructure. These hunts may include systems used by multiple crown jewels and assets you have not considered to have a high impact on the business when compromised. Also, spotting attacker behaviours earlier in the attack path will put you in a much better position in lowering the impact of an attack.

    An attacker might not be interested in your crown jewels but takes a more straightforward approach by employing ransomware. When your crown jewels are the target, the attacker can take a lot of time to watch and learn. Subsequentially all the gained knowledge and access rights are used to blend in with the normal behaviour, bypassing any specific crown jewel detections.

    I do not want to give the impression that hunting on crown jewels should have a low priority. However, it is good practice to take your overall detection coverage into account.

  • Source = results from red and purple teaming
    As explained earlier, these attacker behaviours are excellent candidates for a hunt because they have proven to be successful.

  • Source = historical security incidents
    Similar to red teaming, they have been proven to be successful against your company.


Happy hunting!