Threat Hunting

Why TTP-driven hunting beats IOC chasing.

Threat Foundry Blog - Threat Hunting

Share on LinkedIn

Indicators are useful. They help scope incidents, enrich alerts, block known infrastructure, and move quickly during triage. But indicators are also fragile. Domains move, IP addresses rotate, hashes change, and commodity infrastructure gets reused across unrelated campaigns.

TTP-driven hunting starts from a harder question: what does the adversary need to do to achieve the objective? That frame pushes analysts toward behavior, telemetry, sequence, and intent. It turns intelligence from a list of artifacts into a hypothesis that can be tested.

Behavior survives indicator churn

A credential theft campaign may change payloads and hosting providers, but it still has to deliver a lure, execute code, access identity material, move laterally, stage data, or call home. Those actions leave traces in endpoint, identity, network, cloud, and application telemetry.

This is why ATT&CK mapping, kill-chain thinking, and campaign context matter. They help teams reason about what should be observable even when the exact IOC is new.

Use IOCs as pivots, not the whole hunt

A practical hunt can start from IOCs, then expand into behavior. A suspicious hash may point to process ancestry, command-line patterns, registry changes, service creation, scheduled tasks, network destinations, or user activity. The IOC is the spark; the behavior is the durable detection opportunity.

Threat Foundry supports that shift by preserving CTI context, ATT&CK mappings, generated hunt logic, Sigma candidates, YARA candidates, and saved evidence in one review path.

Use indicators to find the thread. Use TTPs to understand the fabric.

Make the output reviewable

TTP-driven hunting should still be accountable. Analysts need to see the source intelligence, the hypothesis, the telemetry assumptions, the generated query, the evidence returned, and the decision made. That review trail is what turns a hunt from a clever query into reusable program knowledge.

Book themes behind this post

This article draws from local reading themes in Advanced Cyber Threat Intelligence and Hunting and Digital Forensics and Incident Response. The common thread is practical operationalization: intelligence should become hypotheses, evidence, detections, response decisions, and program learning.

Threat Foundry

Build reviewed CTI, hunt, and detection workflows around your operating model.

Threat Foundry helps teams rank intelligence, generate hunts, draft Sigma and YARA rules, preserve evidence, and report outcomes.

Talk through the workflow