The threat hunt begins with an initiating event. Organizations that incorporate threat hunting into their operations may have a process or policy that threat hunting be conducted at a specific cadence or time period. For example, an organization may have a process where the security operations team conducts four or five threat hunts per month, starting on the Monday of every week. Each one of these separate hunts would be considered the initiating event.
A second type of initiating event is usually driven by some type of threat intelligence alert that comes from an internal or external source. For example, an organization may receive an alert such as the one shown in the following screenshot. This alert, from the United States Federal Bureau of Investigation, indicates that there are new Indicators of Compromise (IoCs) that are associated with the Ryuk family of ransomware. An organization may decide to act on this intelligence, and begin a hunt through the network for any indicators associated with the IoCs provided as part of the alert, shown here:
After the initiating event is fully understood, the next phase is to start crafting what to look for during the threat hunt.