CAF – C2.a Threat Hunting

Proactive Threat Hunting

• A structured threat-hunting capability should be in place to proactively identify malicious or suspicious activity that may evade automated security controls.
  Threat hunting should be carried out at a frequency appropriate to:

  • organisation size

  • client profile

  • risk exposure

• Threat hunting forms part of business-as-usual security operations.

Threat Hunting Methods

• Threat hunts should follow documented methods, which may include:

  • Hypothesis-driven hunts (based on emerging threats)

  • Data-driven hunts (based on anomalies identified in logs)

  • Entity-focused hunts (reviewing high-risk accounts or systems)

• These hunts should use information from:

  • monitoring tools

  • endpoint protection platforms

  • SIEM / MDR providers

  • relevant threat intelligence

Recording and Acting on Findings

• Findings from each hunt should be recorded in the organisation’s tracking system.

• Follow-up actions and lessons learned should also be documented.

• If new detection opportunities are identified, they should be:

  • converted into automated alerts, or

  • used to refine existing monitoring rules

• This helps improve early-warning capability.

Review and Continuous Improvement

• Threat-hunting activities, outcomes and improvements should be reviewed periodically to ensure effectiveness.

• Automation should be used where appropriate, for example through:

  • SIEM correlation rules

  • EDR detections

  • scheduled queries

Maintaining Proactive Visibility

• This structured approach helps ensure proactive visibility of hidden or emerging threats that could impact service delivery to clients.