Detection is the art of finding attackers in the noise. It comes in reactive and proactive forms.
| Approach | How |
|---|---|
| Signature/IOC-based | Match known-bad (hashes, IPs, domains) |
| Anomaly-based | Deviation from a learned baseline |
| Behavior-based | Patterns of malicious activity (mapped to ATT&CK) |
| Heuristic | Rules approximating bad behavior |
The Pyramid of Pain: blocking high-level TTPs hurts attackers far more than blocking individual hashes or IPs.
TTPs ← hardest to change (most pain)
Tools
Network/Host Artifacts
Domain Names
IP Addresses
Hash Values ← trivial to change (least pain)
Proactive searching for threats that evaded automated detection — assuming a breach has already occurred.
Hypothesis: "An attacker may be using PowerShell for C2."
→ Query logs for suspicious PowerShell (encoded commands, network calls)
→ Investigate anomalies
→ If found: respond. If not: turn the hunt into a new detection rule.
Good hunts produce new detections, regardless of whether they find an active threat.
Knowledge about adversaries that informs decisions.
| Level | Audience | Content |
|---|---|---|
| Strategic | Executives | Trends, risk, who might target us |
| Operational | Defenders | Campaigns, adversary TTPs |
| Tactical | SOC/tools | IOCs, signatures to deploy |
Sources: ISACs, vendor reports, OSINT, CISA advisories, commercial feeds. Standards like STIX/TAXII let teams share intel in a structured way.
Threat Intel → informs → Detection rules → produce → Alerts
↑ │
└────────── Threat Hunting ◀── Investigation ◀───────┘
A mature SOC runs this loop continuously: intel sharpens detection, detection feeds investigation, hunting finds gaps and creates new detections, and findings feed back into intel.