Classifications of Hunts

1. Data (Triggered by Data Observation)

• Baseline Activity
• Tech Stack
• Web Scanning Activity

2. Entity (High-Risk/High-Value Assets or "Crown Jewels")

• Business Vertical/Sector
  • Examples: Water utilities, Finance, Banking POS systems, Industrial ICS
• Geopolitical Factors

3. TTPs (Tactics, Techniques, and Procedures)

• Tactics
  • How the attack operates
  • Infrastructure used
  • Compromised targets
  • Entry points
• Techniques
  • Approaches used in the attack
  • Tools or malware utilized
  • Types of attacks (e.g., phishing, exploits)
• Procedures
  • Sequence of actions or steps during the attack cycle
• Known TTPs
• New TTPs
• MITRE TTPs
• Honeypot Data
• Malware Analysis/Network Breakdown
  • Signatures: YARA rules, Sigma, STIX
  • Strings (code or text within malware)
  • PE Format (Portable Executable format analysis)
  • File Entropy (randomness in the file)
  • Behavior (malware actions)
  • Origin (source of the malware)
  • Metadata (file properties and attributes)
• Proofs of Concept (POCs)
  • Attack Target
  • Disclosed CVEs (Common Vulnerabilities and Exposures) or Zero-Day Vulnerabilities
  • Kill Chain Section (stage of the attack), Data Sources

4. Hybrid/Blend

• Emulating Threats
  • Atomic Red Team, CALDERA, custom scripts