Identify, gather, and centralize the specific telemetry sources required to test the hypothesis.
: Collecting everything leads to high storage costs and analysis paralysis. Focus on high-value logs first, such as process creation (Sysmon Event ID 1) and authentication events.
+------------------------------------------------------------------------+ | CORE SECURITY TELEMETRY | +------------------------------------------------------------------------+ | Endpoint Logs (EDR / Sysmon) --> Process creation, network connections| | Network Traffic (Zeek / PCAP) --> DNS queries, HTTP headers, TLS metadata| | Authentication (Active Dir.) --> Kerberos tickets, anomalous logins | | Cloud Provider Logs (AWS/GCP) --> IAM adjustments, API infrastructure modifications| +------------------------------------------------------------------------+ 3. Step-by-Step Data-Driven Hunting Workflow
When you detect and disrupt an attacker's TTPs, you force them to reinvent their entire operational playbook. This inflicts maximum cost and operational disruption on the adversary. 2. Foundations of Data-Driven Threat Hunting Which (On-Premise Windows
MISP (Malware Information Sharing Platform) to store, correlate, and share structured IoCs and threat context.
Every hunt begins with a testable hypothesis derived from CTI, recent security research, or a suspected gap in security coverage.
Threat intelligence is not just a collection of data feeds; it is refined, contextual knowledge about adversaries, their motives, and their technical capabilities. To be practical, CTI must be categorized into three distinct operational layers. Strategic Intelligence Threat intelligence provides the context
What does your organization currently use?
Example Hypothesis: "Adversaries are abusing Microsoft Office processes to launch PowerShell sessions and bypass execution restrictions within our environment." Phase 2: Data Gathering and Cleaning
[1. Formulate Hypothesis] ---> [2. Gather Telemetry & Data] ---> [3. Execute Analysis & Queries] | v [6. Automate Detection] <--- [5. Document & Remediate] <--- [4. Validate/Identify Threat] Phase 1: Hypothesis Generation DNS resolution logs
NetFlow data, DNS resolution logs, firewall traffic configurations, and HTTP proxy logs.
CTI and threat hunting exist in a symbiotic relationship. Threat intelligence provides the context, profiles, and behaviors needed to create an effective hunting plan. Conversely, the discoveries made during a successful threat hunt—such as a newly uncovered Command and Control (C2) domain—are fed back into the CTI team to update internal threat profiles and external blocklists.
Offers whitepapers on threat intelligence and hunting techniques.
Which (On-Premise Windows, AWS, Azure, Google Cloud) is your primary target for monitoring?