Skip to content

How would you structure a TTP-based threat hunt using MITRE ATT&CK, and what makes a good hunt?

Short answer

TTP-based hunting uses MITRE ATT&CK as the map: pick a technique relevant to your threat model (ideally one with weak coverage), form a concrete hypothesis about how it would appear in your telemetry, identify the data sources that reveal it, query for it, and analyze hits. A good hunt is scoped, hypothesis-driven, tied to a real adversary behaviour, repeatable, and produces a durable output — a new detection, a documented coverage gap, or evidence the technique is absent — regardless of whether it finds a compromise.

TTP-based hunting flips the script from chasing indicators to chasing behaviours. MITRE ATT&CK gives you a shared, structured catalog of how adversaries operate, and you use it as both a target list and a coverage map.

Structuring the hunt

  1. Select a technique — choose from ATT&CK based on your threat model: techniques used by groups that target your sector, or ones where ATT&CK Navigator shows you have weak detection coverage.
  2. Form a hypothesis — make it testable and environment-specific: "If an adversary used T1003 LSASS credential dumping here, I would see non-system processes opening a handle to lsass.exe."
  3. Map to telemetry — identify the exact data sources (process access, command line, module load) that would reveal it, and confirm you collect them.
  4. Query and analyze — run the search, then separate true signal from benign activity with context (parent process, signer, user).
  5. Document and operationalize — record method and results; turn confirmed behaviour into a Sigma rule and update your coverage map.

What makes a good hunt

A good hunt is scoped (one clear question, not "find evil"), hypothesis-driven, grounded in a real adversary behaviour, repeatable, and productive — it leaves behind a detection, a documented gap, or justified confidence the technique is absent. Finding no compromise is a valid, useful result.

Why this matters

Senior interviewers look for ATT&CK-driven structure, a falsifiable hypothesis, telemetry mapping, and a durable output. "I just look around the SIEM for weird stuff" signals an immature, unrepeatable approach.

Likely follow-ups

  • How do you prioritize which ATT&CK technique to hunt first?
  • What does an ATT&CK Navigator coverage heatmap give a hunting program?
  • Why is a repeatable, documented hunt better than an ad-hoc one?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.