Table of Contents
Threat hunting techniques are the systematic approaches analysts use to find hidden threats in your environment. The most effective programs don’t rely on a single technique—they combine hypothesis-driven investigation, behavioral baselining, TTP-based hunting using MITRE ATT&CK, IOC searches, and statistical analysis to search across different threat scenarios and data types. Knowing when to apply each technique is what separates skilled hunters from those just running queries.
Hypothesis-driven hunting
Hypothesis-driven hunting is the most powerful technique in a threat hunter’s toolkit, and the most demanding. It starts not with a known indicator, but with a question: given what we know about attacker behavior and our specific environment, where might a threat actor be hiding right now?
A well-formed hypothesis is specific enough to test but broad enough to be meaningful. “An attacker may be using living off the land binaries to move laterally from a compromised endpoint to our domain controllers” is a testable hypothesis. “Something bad might be happening” is not.
From the hypothesis, hunters identify the data sources and queries that would provide evidence for or against it, then work through those systematically. This technique can find threats that no existing detection rule or indicator would ever catch, which is precisely why it’s the technique sophisticated attackers fear most.
Intelligence-based and IOC hunting
IOC (indicator of compromise) hunting searches for specific, known artifacts of malicious activity: IP addresses, file hashes, domain names, registry keys, and other indicators from threat intelligence feeds. When a new campaign is identified by the security community, the associated IOCs get distributed to allow defenders to sweep their environments for signs of the same activity.
IOC hunting is fast and operationally straightforward. You have a list of things to search for, and you search for them. Its limitation is that it only finds what’s already known. Sophisticated attackers rotate infrastructure, modify malware, and avoid reusing indicators precisely because they know defenders are watching for them.
Used in combination with other techniques, IOC hunting is a valuable baseline capability. As a standalone program, it leaves significant gaps.
TTP-based hunting with MITRE ATT&CK
Where IOC hunting looks for artifacts of specific known attacks, TTP-based hunting looks for the behaviors of attackers—the tactics, techniques, and procedures that tend to be consistent even when specific tools and infrastructure change. An attacker might rotate their command-and-control infrastructure every week, but they’re likely to keep using the same lateral movement techniques that have worked for them.
The MITRE ATT&CK framework provides a structured taxonomy of attacker behaviors organized by tactic (what the attacker is trying to accomplish) and technique (how they accomplish it). Hunters use ATT&CK to select which behaviors to search for, build queries that detect those behaviors in their specific environment, and systematically work through coverage of techniques relevant to their threat model.
Behavioral baselining and anomaly detection
Behavioral baselining establishes what “normal” looks like in your environment—typical login patterns, expected process execution, normal network traffic volumes and destinations, standard user behavior—so that deviations stand out.
Anomaly detection is the practice of systematically searching for those deviations. A user authenticating from two geographies within an impossible timeframe. A process spawning child processes it has never spawned before. A service account querying Active Directory at 3am in a way it never has. None of these are inherently malicious, but each is worth investigating.
The challenge with this technique is that “abnormal” and “malicious” are not the same thing. Environments generate legitimate anomalies constantly, like new software, changed workflows, and new employees. Building effective behavioral baselines requires enough environmental knowledge to distinguish meaningful deviations from noise.
Stack counting and statistical analysis
Stack counting is a technique for finding outliers by comparing frequency distributions across systems. The premise is simple: malicious activity often looks like a needle in a haystack: one system doing something the other 999 aren’t.
A hunter might stack-count all processes running across endpoints in an environment, sorting by how many systems run each process. The processes running on nearly every system are likely legitimate system processes. The process running on exactly one system, especially if its name looks like a legitimate system process but isn’t quite right, is worth investigating.
Stack counting works best on large datasets where rare events are genuinely suspicious. It’s less useful in small environments where variation is naturally higher.
Crown jewel analysis
Crown jewel analysis focuses hunting activity on the assets most critical to your organization. These are the databases containing your most sensitive data, the systems that would cause the most damage if compromised, the accounts with the most privileged access. Rather than hunting broadly across your entire environment, crown jewel analysis asks: what activity around our most critical assets looks unusual?
This technique is particularly valuable for organizations that can’t run comprehensive hunts across their entire environment regularly. By prioritizing hunting around what matters most, you maximize the security value of limited hunting time.
| Technique | Best for | Data requirements |
|---|---|---|
|
Hypothesis-driven |
Unknown threats, novel attacker behavior | Broad telemetry, threat intel, environment knowledge |
|
IOC hunting |
Known campaigns, rapid sweeps | Threat intelligence feeds, log access |
|
TTP-based (ATT&CK) |
Systematic coverage, behavior-focused detection | Endpoint, network, identity telemetry |
|
Behavioral baselining |
Finding subtle deviations, insider threats | Historical baselines, consistent logging |
|
Stack counting |
Outlier detection at scale | Large, consistent datasets across many systems |
|
Crown jewel analysis |
Resource-constrained programs, high-value asset focus | Asset inventory, privileged access logs |
Frequently asked questions
What is the most effective threat hunting technique?
Hypothesis-driven hunting is generally considered the most powerful technique because it can find threats that no existing indicator or rule would catch. However, it’s also the most resource-intensive, requiring experienced analysts and good environmental knowledge. Most programs combine hypothesis-driven hunting with IOC sweeps and TTP-based searches to balance depth with coverage.
Do I need to use all of these techniques?
No. Start with the techniques that match your current capabilities and data availability. IOC hunting and basic stack counting are good starting points for teams new to hunting. Hypothesis-driven and TTP-based techniques reward investment in analyst training and environmental knowledge. Build complexity as your program matures.
How does MITRE ATT&CK help with threat hunting?
ATT&CK provides a structured inventory of attacker behaviors that hunters can systematically search for. By mapping your detection coverage to ATT&CK techniques, you can identify which behaviors you have good visibility into, which you can hunt for manually, and which represent gaps in your program. It turns “hunt for threats” into a structured, measurable activity.
Can automated tools replace manual hunting techniques?
Automation helps with scale and consistency (running scheduled IOC sweeps, flagging statistical outliers automatically) but it can’t replicate the creative thinking of hypothesis-driven hunting. Automated tools find what they’re programmed to find. Skilled hunters find what they hypothesize might be there, even without prior indicators. The best programs combine both.