The IOC Era Is Over
The first generation of threat hunting was essentially IOC matching at scale. Hunt teams would receive a threat intelligence report, extract indicators, and search for them in log data. This approach is not wrong, but it is not threat hunting. It is reactive indicator validation.
Organizations that have advanced beyond IOC hunting share a common characteristic: they hunt on attacker behavior, not attacker artifacts.
The Maturity Progression
- Level 1 – IOC: searching for known bad artifacts (hashes, IPs, domains)
- Level 2 – TTP: hunting for techniques and procedures regardless of specific tools
- Level 3 – Behavioral: hunting for anomalies in how systems interact and communicate
- Level 4 – Environmental: hunting for deviations from your specific baseline
The Transition From Level 1 to Level 2
The most important shift in hunting maturity is the move from artifact-based to behavior-based hypotheses. Instead of hunting for a specific malware hash, you hunt for the process behavior that malware of that family typically exhibits: unusual parent-child process relationships, network connections from unexpected processes, privilege escalation patterns.
This transition requires a different skill set. Analysts need to understand attacker tradecraft at a level that lets them reason about what attackers do, not just what their tools look like.
Building Behavioral Baselines
Behavioral hunting requires a baseline. You cannot identify anomalies without knowing what normal looks like. Building behavioral baselines for your environment is a six-to-twelve month investment in data collection and analysis before the hunting payoff arrives.
Operationalizing What You Find
The output of a mature threat hunting program is not just found threats. It is improved detections, validated coverage, and documented gaps. Every hunt that concludes without finding an active threat should still produce at least one artifact: a new detection rule, a confirmed coverage gap, or an updated baseline.