The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting

Conference:  Black Hat USA 2022



The presentation discusses the importance of documentation and sharing knowledge in threat hunting, and introduces a community-driven threat hunting framework.
  • Documentation and metrics are important in threat hunting and can be valuable to other organizations.
  • Imposter syndrome is common in the industry.
  • Sharing knowledge can prevent other organizations from experiencing incidents or breaches.
  • The community-driven threat hunting framework is vendor-agnostic and provides advice based on the combined 20 years of threat hunting experience of the authors.
  • The framework includes an operational module, prioritization, project management, measurement, communication, and continuous improvement.
  • The framework is a living document that will evolve with contributions from the community.
The speaker talks about how frustrating it was to find information on how to get started with threat hunting when he first started eight years ago. He emphasizes the importance of writing down knowledge and sharing it with others to prevent others from experiencing the same frustration. The speaker also mentions that imposter syndrome is common in the industry.


"Ask 10 infosec professionals to define threat hunting and you'll get 11 different answers." Threat hunting is one of those interesting components of cybersecurity where everyone knows they should be doing it but not everyone can fully articulate what threat hunting is. In our roles as threat hunters, we're lucky enough to be witness to, and evaluate, the hunt programs of Fortune 100 companies, state and national governments, and partners and MSPs. This experience has shown us that one person's definition of threat hunting does not necessarily equal another's.If you do an Internet search for "how to build a threat hunting program" there are plenty of results and some include great insights into what makes a threat hunting program effective. However, while resources do exist, they're often tied to a specific vendor or a particular product and the best way to hunt using it. There's useful information, but you're left trying to find a way to make the proposed processes and techniques work for your environment and not the one driven by the vendor."If you don't like the road you're walking, start paving another one." It's with that in mind that we're releasing a threat hunting framework that can help organizations start a threat hunting program as well as improve threat hunting operations for existing programs that's free and not tied to any particular technology. This framework will enable organizations to take control of building a threat hunting program by providing a clear path to operationalizing threat hunting as well as a well-defined threat hunting process to ensure threat hunters are set up for success.We've responded to far too many incidents that could have been prevented with solid threat hunting operations and we hope this project can help prevent future incidents.