There’s no denying it: Threat hunting is difficult. Identifying relevant topics to trigger hunts, finding resources to hunt, creating pre- and post-mortem reports… the list goes on and on. At times, the task feels overwhelming. Even the most experienced threat hunter can feel overloaded. In this blog, the ReliaQuest Photon Research team steps in to offer the following guidance on the first stage of a threat hunt.

Threat Hunting and Threat Intelligence

A great threat hunt is fueled by a solid understanding of your business, the associated risks, and the methods attackers are using to access your environment. It all starts with identifying meaningful threat intelligence and using it to produce valuable threat-hunting topics that are relevant to your environment.

Weighing the Threat Intelligence

Not all threat intelligence is created equal, so always consider its relevancy. How relevant is the information to your environment or your business area? Does the data originate from historical events your security team has responded to? Asking yourself these questions should be habitual and will build a strong foundation when developing a hunt. Randomly picking bits of intelligence to focus on, rather than selecting your targets carefully, could cost precious hours. Since the goal of threat hunting is to decrease an attacker’s dwell time, you don’t have hours to spare.

Typically, threat intelligence is perceived as coming only from external sources. But it’s also important to take account of your environment—as obvious as that seems, understanding your business and associated risks is crucial during this stage. You can achieve that by auditing devices on your network, identifying and monitoring specific threat actors who typically target your business area, and regularly performing hygiene activities such as monitoring New Technology LAN Manager (NTLM) use and looking for remote authentications lacking multifactor authentication.

You can also keep track of true-positive events in your environment, which will offer unique insights into the areas attackers might target. This kind of activity shows you where detection is strong and helps identify weak areas. With that kind of solid information, you can build a sturdy foundation for future hunt stages.

Using Threat Intel to Structure Hunt Types

Some unique challenges will arise when working through this process. A common pain point is figuring out how to combine threat hunting and threat intelligence. To solve this conundrum, pre-define structures for hunt types, such as attack- and analytic-based hunts, to create a repeatable process. Your security team can then use the gathered intelligence in different ways.

  • Attack-based hunts primarily focus on specific threat tactics and techniques. Collate intel that reflects previous events in your environment (remember the relevancy!). Pair that experiential knowledge with your threat intel, which will provide evidence of techniques used in the wild. Also make sure to understand which rules you have in place and what they do and don’t cover.
  • Analytic-based hunts seek abnormalities in data sets by asking “Does anything in <blank> look malicious?” These hunts allow you to scope out a structure of what you’re searching for, but won’t allow you to flesh it out if you don’t know the details. Large data sets result from these hunts—scrutinize them to identify outliers missed by detection tools. Your overall goal is to sniff out evil and decrease dwell time—but, as an added benefit, you might find a previously overlooked detection opportunity.

Valid Intel Leads to a Productive Threat Hunt

Now let’s work through an example of identifying intel and using it to inform the beginning stage of a threat hunt.

Your company recently responded to a network intrusion by a threat group known to target your business’s industry, financial services. After searching through historical events investigated by your security team, you uncover artifacts that suggest this group has attempted to gain initial network access multiple times in recent weeks. In addition, through post-mortem assessment reports, you identify gaps in visibility when it comes to external authentication activity.


Previously, your security team didn’t notice this threat group attempting to infiltrate your network. Now you can hunt for the tactics and techniques they used for initial access, paving the way to a good foundation for a threat hunt.

You decide to expand the scope of your threat hunt to determine whether any other threat actors gained access using those same methods. You then combine the intelligence found through the incident response with the intelligence about the attacker and similar groups, to prioritize specific threat tactics and techniques.

Next Steps

So, what quick steps can you take to begin using threat intelligence meaningfully? Start by implementing a collection process with your security team and openly discussing the relevancy of the intelligence to your environment. This process will empower your security operations with meaningful intelligence to build successful threat hunts in your environment.

From there, follow the steps above to launch a smooth, repeatable process for identifying relevant intelligence. It’s a reliable approach to tune out the “noise” that can stand in the way of a productive threat hunt or other cybersecurity challenges.

The ReliaQuest GreyMatter security operations platform delivers automated threat-hunting packages that can comb through your security tools, systems, and business applications and identify problems hidden in your network—all from a single console.