Key Takeaways: Threat Detection and Hunting

DataField.Dev

Key Takeaways: Threat Detection and Hunting

A scannable, reference-grade card for review and cert prep. If you read one page before the exam or before your first hunt, read this one.

Core definitions (say these cold)

Term	One-line definition
Threat detection	Identifying malicious/unauthorized activity, automatically or by analysis (the umbrella term).
Detection engineering	The disciplined practice of designing, building, testing, and maintaining the automated rules that fire alerts.
Threat hunting	The proactive, human-led search for adversary activity that no alert caught.
Hypothesis-driven hunting	Hunting structured around a specific, testable hypothesis ("if adversary did X, we'd see Y in Z").
Pyramid of pain	Ranks indicator types by how costly they are for the adversary to change (hash → … → TTP).
Behavioral detection	Detecting adversary technique/behavior rather than a static indicator.
Sigma rule	A portable, vendor-agnostic YAML detection that compiles to any SIEM's query language.
YARA	A pattern-matching rule language for identifying/classifying files and process memory by content.
Threat intelligence platform (TIP)	Aggregates, normalizes, de-duplicates, scores, and distributes threat-intel feeds to detection tooling.
Detection coverage	The mapping of your (ATT&CK-tagged) detections onto the ATT&CK matrix to expose blind spots.
False negative	A real attack that produced no alert and went undetected — invisible by definition.

The pyramid of pain (memorize the order, bottom → top)

Layer	Example	Cost to adversary to change	Your detection's durability
Hash values	`SHA-256` of malware	Trivial (recompile = new hash)	Worthless after one change
IP addresses	C2 server IP	Trivial (new server/proxy in minutes)	Speed bump
Domain names	Malicious domain	Easy (re-register, ~$/minutes)	Mild
Network/host artifacts	C2 URI pattern, registry key, User-Agent	Annoying (baked into tooling)	First real inconvenience
Tools	The adversary's custom utility	Hard (find/build a new tool)	Weeks of adversary effort
TTPs	"dumps creds from LSASS", "jittered HTTPS beacon"	Very hard (relearn how they operate)	Most durable — climb here

Rule of thumb: indicator matching (bottom three) is the floor — cheap, precise, brittle. Behavioral detection (top three, esp. TTPs) is the ceiling — harder, noisier, durable. An all-indicator program is optimized for the adversary's convenience.

IoC vs. behavior — when to use what

	Indicator-based (IoC)	Behavioral (TTP)
Matches	Known-bad hash / IP / domain / artifact	Adversary action / technique
Cost to write	Low	High
False positives	Few	More (must tune)
Evaded by	Adversary changing a value (cheap)	Adversary changing how they operate (costly)
Catches	Commodity malware, reused infra, the lazy	Targeted, stealthy, novel adversaries
Use it for	Cheap, fast first-pass coverage	The attacks indicators miss
In `bluekit`	`ioc_match(event, iocs)`	`attack_technique(event)`

Do both. Match indicators because it's free; engineer behavior because it's what stops a real adversary.

Sigma rule anatomy (be able to read and write one)

title:        # human-readable name
id:           # stable UUID (generated once)
status:       # experimental | test | stable
description:  # what it detects and why
references:   # links (often the ATT&CK technique page)
tags:         # attack.<tactic> and attack.t<id>  ◄── enables COVERAGE measurement
logsource:    # category/product = WHICH DATA the rule reads
detection:
  selection:  # field|modifier: value(s)  — the match conditions
  condition:  # boolean combo, e.g. "selection and not filter"
falsepositives:  # documented benign cases (honesty = maintainability)
level:        # informational | low | medium | high | critical

Write once in Sigma → compile to SPL / KQL / Lucene via a backend. Portability is the whole point.
The tags ATT&CK mapping is not decoration — it's what makes coverage measurable.
A rule is only deployable once its filter/false-positive side is tuned to your environment's normal.
It's detection-as-code: text file → version control → code review → pipeline.

Rule family	Matches	Runs against	Chapter
Sigma	Log events / behavior	SIEM (compiled)	22 (here)
Snort/Suricata	Network packets	IDS/IPS sensor	7
YARA	Files & process memory	Endpoints, malware sandbox	22 (intro)

The hunt loop (6 steps — Step 6 is non-negotiable)

#	Step	What you do	Failure if skipped
1	Hypothesize	"If adversary did [technique], we'd see [observable] in [data source]" — ATT&CK-mapped	Aimless log-browsing, no end condition
2	Scope data	Confirm the data exists, has the fields, has history	"No results" really means "no visibility"
3	Query/analyze	Cheap filter to narrow + behavioral analytic on what remains	—
4	Triage	Separate malicious from benign using your baseline	Cry wolf, or learn to ignore the real one
5	Conclude	Confirm / refute / inconclusive (+ note data gaps)	No defensible answer
6	Operationalize	Turn finding into a durable detection or document a visibility gap	Only postponed the next miss

Hypothesis template: "If an adversary were performing [technique X], we would expect to see [observable Y] in [data source Z]."

Hand-off rule: the hunter finds and escalates to incident response (Ch.24) — does not remediate (preserves evidence; avoids tipping off the adversary or breaking production).

ATT&CK coverage & false negatives

Coverage map = your ATT&CK-tagged detections plotted on the matrix → a heatmap of green (covered) and red (blind spot) cells. It is a prioritization tool and data-source gap analysis, not a percentage to brag about.
A red cell means one of two things: "no rule" or "no data." The data gap is the expensive one — a perfect rule that can't fire because the telemetry isn't collected is not coverage.
"We cover 80% of ATT&CK" is misleading: techniques aren't equally relevant, "covered" hides a quality spectrum, and it conflates "have a rule" with "have the data."
False negative = a real attack with no alert. You cannot count it directly (no record exists). Attack it indirectly with (1) coverage mapping (find where FNs are guaranteed) and (2) hunting (search the uncovered space).
Tuning is always a tradeoff: loosen → fewer false negatives, more false positives; tighten → the reverse. No setting has zero of both. Tune consciously, per rule.

Threat intelligence → detection pipeline

Ingest (feed / advisory / ISAC report) → 2. Triage for relevance (does it target an org like ours?) → 3. Extract indicators and techniques → 4. Deploy as a detection or a hunt → 5. Feed back what you learn.

Intel tier	Content	Best for	Durability
Strategic	Who targets your sector & why	CISO priorities	Long
Operational	Campaign TTPs mapped to ATT&CK	Detection engineering	Durable (top of pyramid)
Tactical	Specific hashes / IPs / domains	Indicator matching	Short-lived

STIX = structured language to describe threats; TAXII = protocol to transport it.
Honor handling markings (TLP RED/AMBER/GREEN/CLEAR) — it keeps the sharing ecosystem alive.
Reading intel ≠ detecting. Intel that changes no detection/hunt/decision is just news.

Decision aid — "what do I build right now?"

New piece of threat intel arrives:
  ├─ Is it relevant to my environment?  ── No ──► filter out (don't drown the signal)
  └─ Yes:
       ├─ Indicators? ──► load into TIP/SIEM (cheap; expect short life)
       └─ Techniques? ──► can I express it as a reliable rule?
                            ├─ Yes ──► write a Sigma rule (tag with ATT&CK id)
                            └─ No  ──► make it a HUNT hypothesis
A quiet alert queue?  ──► NOT proof of safety ──► hunt to earn the conclusion
A red cell on coverage map? ──► is it "no rule" or "no data"?
                                  ├─ no rule ──► write it
                                  └─ no data ──► fund the data source (the expensive gap)

Common pitfalls (don't be the cautionary tale)

Pitfall	Why it bites	Fix
All-indicator detection program	Optimized for adversary's convenience; misses targeted actors	Climb the pyramid to behavior/TTPs
"Quiet queue = secure"	Alerts fire only on the anticipated; Sunburst hid 9 months	Hunt to test the hypothesis
Hunting without a baseline	Can't separate benign from malicious regularity	Baseline first (Ch.10); know your normal
Loading every vendor indicator as a rule	Drowns SOC in low-value noise	TIP triages for relevance & confidence
Skipping hunt Step 6	Finding evaporates; same miss recurs	Always produce a detection or a documented gap
Inflating coverage with dead rules	A rule with no data can't fire — false comfort	Report "no data" honestly as a red cell
Untuned behavioral rule	Floods the SOC, gets disabled	Tune the `filter` against benign reality

Frameworks & standards mapped

Framework / source	Relevance to this chapter
MITRE ATT&CK	The technique taxonomy detections map to; coverage is measured against it.
Sigma project	The portable detection-rule standard (detection-as-code).
YARA	File/memory pattern-matching rules (detection toolkit).
STIX / TAXII	Standard language/protocol for sharing machine-readable threat intel.
TLP (Traffic Light Protocol)	Handling markings for shared intelligence.
NIST CSF 2.0 — DETECT function	Governance home for "detect anomalies and events; continuous monitoring."
CISA advisories / sector ISACs	Primary sources of operational, ATT&CK-mapped intelligence.

Certification crosswalk

Concept	CompTIA Security+	(ISC)² CISSP
IoCs, threat intel, intel sources/sharing	SY0 — General Security Concepts; Security Operations	Domain 7 (Security Operations)
MITRE ATT&CK, kill chain, TTPs	Security Operations	Domains 7 & 1 (frameworks)
Threat hunting	Security Operations	Domain 7
Detection rules / SIEM analytics	Security Operations	Domain 7
False positives vs. false negatives	Security Operations	Domains 6 (assessment) & 7
Behavioral vs. signature detection	Security Operations	Domain 7

What this chapter added to the project

bluekit → detect.py: ioc_match(event, iocs) (indicator detection) and attack_technique(event) (behavioral technique-tagging) — the two faces of the pyramid in one module.
Meridian program → detection & hunting program: (1) detection-engineering practice (Sigma + ATT&CK tags + version control + documented false positives/severity), (2) hunting cadence (≥1 hypothesis-driven hunt/week, run through the six-step loop), (3) an ATT&CK coverage map reviewed quarterly with blind spots fed to the backlog.
Anchor advanced — SolarWinds: the beaconing hunt at Meridian found a SolarWinds-style C2 beacon by behavior (not indicators) and produced a durable detection — the chapter's running worked example.
Themes surfaced: Theme 2 (attackers need one success; the stealthy adversary defeats anticipation-only detection) and Theme 4 (defense in depth applied to detection — many tagged detections across the kill chain so no single miss is fatal).