Before submitting a hunt to HEARTH, it's valuable to gather intelligence and inspiration from various sources. This guide provides resources and methods for developing threat hunting ideas.
- MITRE ATT&CK
- Browse tactics and techniques
- Study documented adversary behaviors
- Review procedure examples
- CISA Alerts
- Recent vulnerability announcements
- Threat actor TTPs
- Incident reports
- Industry ISACs
- Sector-specific threats
- Emerging attack patterns
- Shared intelligence reports
- Academic Papers
- Security Blogs
- Vendor security blogs
- Independent researchers
- Threat Research teams
- Conference Materials
- BlackHat presentations
- DEF CON talks
- BSides talks
- Other conference presentations (use Google or check YouTube)
- Twitter/X Security Community
- Follow threat researchers
- Track #infosec and #threathunting tags
- Monitor vendor security accounts
- GitHub Repositories
- Detection rules repositories
- Threat hunting tools
- Attack simulation projects
- Security Forums
- Reddit (r/netsec, r/blueteam, r/purpleteam, r/redteam)
- InfoSec Slack / Discord communities
- Unit42 - Palo Alto Networks
- The DFIR Report
- Google Cloud Security Blog
- Talos Intelligence
- Splunk Threat Research Team
- Kaspersky SecureList
- ThreatPost
- Malwarebytes Blog
- Red Canary Threat Detection Report
- CERT-EU Blog
- WeLiveSecurity by ESET
- ThreatConnect Blog
- CrowdStrike Blog
- McAfee Labs Blog
- Recorded Future Blog
- CyberArk Research Blog
-
- Comprehensive adversary tactics and techniques
- Real-world examples and procedures
- Mapping to detection strategies
-
- Open-source hunting methodologies
- Practical analytics
- Implementation guides
-
- Use cases
- Technical procedures
- Sample queries
- Windows Event Documentation
- AWS CloudTrail Documentation
- Azure Security Documentation
- Google Cloud Documentation
- Monitor news for security incidents
- Study published incident reports
- Review disclosed vulnerabilities
- Track threat actor campaigns
- Review past security incidents
- Analyze failed attack attempts
- Study successful compromises
- Examine detection gaps
- Audit available data sources
- Identify unexplored data sets
- Review logging coverage
- Map detection capabilities
- Document basic concept
- Note relevant data sources
- List potential techniques
- Record references
- Gather supporting evidence
- Find similar approaches
- Document limitations
- Identify requirements
- Is the idea testable?
- Are data sources available?
- What tools are needed?
- Is it practically implementable?
- Flames (Hypothesis-Driven)
- Clear adversary behavior
- Specific activity patterns
- Testable hypothesis
- Embers (Baseline)
- Normal behavior patterns
- Environmental baselines
- Deviation detection
- Alchemy (Model-Assisted)
- Algorithm requirements
- Data science approach
- Pattern recognition
- Complete hypothesis statement
- Supporting references
- Implementation details
- Required resources
- Use official template
- Include all references
- Document assumptions
- Note limitations
-
Start Small
- Focus on specific behaviors
- Limit initial scope
- Build on basics
-
Validate Feasibility
- Check data availability
- Verify tool access
- Test basic concepts
-
Document Everything
- Record sources
- Note decisions
- Track changes
- Save references
-
Seek Feedback
- Share early drafts
- Request peer review
- Incorporate suggestions
- Iterate based on input
Remember: The best hunt ideas often start as simple observations or questions. Use this guide to help develop your initial concepts into full-fledged HEARTH submissions.