Threat hunting is the proactive effort of searching for signs of malicious activity, both current and historical, in the IT infrastructure that have evaded existing security defenses
TaHiTI Threat Hunting Methodology
Threat hunting is a relatively new area of expertise. While the activity itself is not new, specific hunting tools, models and best practices have been developed in recent years. This document outlines a standardized and repeatable approach to threat hunting based on practical experience and integrates the threat intelligence and threat hunting processes. The document is intended for threat hunters, security analysts, cyber threat intelligence teams and cyber defense specialists. The document can also serve as an introduction to threat hunting for security managers.
The TaHiTI methodology for threat hunting is created with real hunting practice in mind and provides organization with a standardized and repeatable approach to their hunting investigations. The methodology uses 3 phases and 6 steps and integrates threat intelligence throughout its execution. These 3 phases are “initialize” (process input), “hunt” (the execution phase) and “finalize” (process output). Organizations can use the TaHiTI methodology to connect the threat hunting process to other processes, especially the threat intelligence process. TaHiTI is based on practical experience and aggregates existing resources into a single comprehensible methodology.
TaHiTI is supported by the "MaGMa for threat hunting tool", which can be used to provide insight into the results of the process and guidance for improvement. Organizations already using the MaGMa use case framework will be able to easily integrate the threat hunting and security monitoring processes.
TaHiTI publishes a methodology which can be read in the documents below: