Mindset of Threat Hunting: Questions to Ask Yourself

1. What are the possible implications of this TTP?
   • Consider how this tactic, technique, or procedure could impact the organization or systems.
2. How could this TTP be chained with other techniques?
   • Analyze how attackers might combine this TTP with others to enhance their attack strategies.
3. Are there any related TTPs or tactics that I should be aware of?
   • Identify additional techniques that are associated or commonly used alongside this TTP.
4. What indicators or artifacts might be associated with this TTP?
   • Determine the signs, logs, or forensic evidence that this TTP might leave behind.
5. How would an attacker leverage this TTP in a real-world scenario?
   • Understand the practical application of this TTP from an attacker's perspective.
6. Are there any defensive measures or mitigations to counteract this TTP?
   • Explore existing security controls or strategies that can detect or prevent this TTP.
7. What are the potential blind spots or gaps in detection for this TTP?
   • Identify areas where current monitoring may be insufficient to detect this activity.
8. How can I proactively hunt for evidence of this TTP in my environment?
   • Plan methods and tools to search for signs of this TTP within your systems and networks.
9. What data sources or logs should I review to detect this TTP?
   • List specific logs, alerts, or data repositories that could contain relevant information.
10. Are there any deviations from normal behavior that might indicate exploitation of this TTP?
    • Look for anomalies or unusual patterns that could signal the TTP is being exploited.