Threat hunting is the proactive, iterative search ("hunt") for indications of security incidents that evade existing security mechanisms
(This definition is based on previous work by David Bianco)
Focus the direction of a hunt
Uses knowledge of adversary behavior (threat intelligence) to lead a hunt
These hunts can be accomplished using specific or generalized adversary tactics, techniques, and procedures (TTPs)
Uses knowledge of critical or sensitive assets to lead a hunt
These hunts can be accomplished by consulting with strategic internal partners to determine which assets are most important for business operations
Uses knowledge of abnormal or unexpected behavior (anomalies) to lead a hunt
These hunts can be accomplished using ad hoc (moment in time) or historical (long-term, "baseline") data
Methods that can be used to perform a hunt
Uses pattern matching to identify events of interest
Uses key-value counting to identify events of interest
Uses visualizations, such as box plots and heat maps, to identify events of interest
Uses linked graphs (tree data structures) to identify events of interest
Uses machine learning, such as linear regression or random forests, to identify events of interest
Categorizations of data that can be used during a hunt
Contains data that describes traits of and actions taken on an host
Examples: process execution, files on-disk, service modification
Contains data that describes traits of and actions taken by a file
Examples: embedded files, static analysis, dynamic analysis
Contains data that describes traits of and actions taken on a network
Examples: flow records, proxy connections, email messages
Contains data that describes traits of and actions taken on a cloud deployment
Examples: CloudTrail (AWS), Cloud Audit (GCP), Log Analytics (Azure)
Contains data that describes traits of and actions taken by an application
Examples: database transactions, online office software
Resources that can be used to facilitate hunts