How would you structure a TTP-based threat hunt using MITRE ATT&CK, and what makes a good hunt?
Short answer
TTP-based hunting uses MITRE ATT&CK as the map: pick a technique relevant to your threat model (ideally one with weak coverage), form a concrete hypothesis about how it would appear in your telemetry, identify the data sources that reveal it, query for it, and analyze hits. A good hunt is scoped, hypothesis-driven, tied to a real adversary behaviour, repeatable, and produces a durable output — a new detection, a documented coverage gap, or evidence the technique is absent — regardless of whether it finds a compromise.
TTP-based hunting flips the script from chasing indicators to chasing behaviours. MITRE ATT&CK gives you a shared, structured catalog of how adversaries operate, and you use it as both a target list and a coverage map.
Structuring the hunt
- Select a technique — choose from ATT&CK based on your threat model: techniques used by groups that target your sector, or ones where ATT&CK Navigator shows you have weak detection coverage.
- Form a hypothesis — make it testable and environment-specific: "If an adversary used T1003 LSASS credential dumping here, I would see non-system processes opening a handle to lsass.exe."
- Map to telemetry — identify the exact data sources (process access, command line, module load) that would reveal it, and confirm you collect them.
- Query and analyze — run the search, then separate true signal from benign activity with context (parent process, signer, user).
- Document and operationalize — record method and results; turn confirmed behaviour into a Sigma rule and update your coverage map.
What makes a good hunt
A good hunt is scoped (one clear question, not "find evil"), hypothesis-driven, grounded in a real adversary behaviour, repeatable, and productive — it leaves behind a detection, a documented gap, or justified confidence the technique is absent. Finding no compromise is a valid, useful result.
Why this matters
Senior interviewers look for ATT&CK-driven structure, a falsifiable hypothesis, telemetry mapping, and a durable output. "I just look around the SIEM for weird stuff" signals an immature, unrepeatable approach.
Likely follow-ups
- How do you prioritize which ATT&CK technique to hunt first?
- What does an ATT&CK Navigator coverage heatmap give a hunting program?
- Why is a repeatable, documented hunt better than an ad-hoc one?