This chapter covers
- Developing a threat-hunting hypothesis
- Documenting a threat-hunting play
- Threat intelligence for threat hunting
- Building a threat-hunting framework
- The details of the threat-hunting process
- Threat-hunting roles and responsibilities
- Important frameworks and standards
- Evaluating a threat-hunting practice
Chapter 1 established foundational threat-hunting concepts. In this chapter, we discuss how to create a threat-hunting framework, starting with an overview of existing frameworks and standards in threat hunting. We discuss how and where a standard such as NIST Special Publication 800-53 Rev. 5 covers threat hunting and how a framework like MITRE ATT&CK can be used to establish hunts based on threat tactics, techniques, and procedures (TTPs).
Next, we describe how to start a hunting practice and improve its maturity over time, supplying processes and templates to kick-start the work. We also describe the general role and responsibilities of the threat hunter, using a responsible, accountable, consulted, and informed model. Finally, we describe data sources and their importance to threat hunting. We provide an overview of common data sources and sets such as Windows native events, System Monitor (Sysmon) events , Linux events, network flows, and firewall events.