Cyber Threat Hunting Techniques Playbook

December 16, 20234 min read

Playbook Objectives:

  • To enhance the cyber incident response team’s ability to identify, investigate, and mitigate potential cyber threats through proactive hunting.
  • To validate the effectiveness of current security controls and incident detection capabilities.
  • To develop and refine analyst skills in recognizing subtle indicators of compromise (IoCs).
  • To practice the application of advanced threat intelligence to uncover stealthy, malicious activities that evade standard security solutions.
  • To improve team coordination and communication during cyber incident handling.
  • To generate actionable intelligence that can be applied to strengthen the organization’s cybersecurity posture.

Difficulty Level:

  • Advanced; the exercise is designed for experienced cybersecurity professionals who are familiar with threat hunting methodologies and have a deep understanding of network architectures and malicious actor tactics, techniques, and procedures (TTPs).


  • A high-profile, multinational financial company, Global Finance Inc., with headquarters in New York, has recently expanded its digital services to include a revolutionary cryptocurrency exchange platform.
  • The platform garners significant attention, increasing potential exposure to sophisticated cyber threats. The company employs a large IT team, with a dedicated Cyber Incident Response Team (CIRT) known for its advanced defensive capabilities.
  • Global Finance Inc.’s network comprises thousands of devices, including employee workstations, server clusters for high-frequency trading algorithms, and a distributed cloud architecture supporting client transactions.
  • Amidst the rapid expansion, the CISO, Evelyn Woods, receives intelligence about a targeted attack campaign aimed at financial institutions, involving a sophisticated threat actor group operating under the moniker “Fintech Phantom.”
  • The report suggests that this group uses advanced persistent tactics and rarely detected malware to siphon sensitive financial data. Given the threat, Evelyn decides to implement a cyber range exercise focusing on cyber threat hunting to uncover any hidden threats within Global Finance Inc.’s network, bolster the CIRT’s readiness, and ultimately secure the company’s critical assets.


  • Cyber threat hunting

Exercise Attack Steps:

  • Preparations and Threat Intelligence Briefing:
    • Compile the latest intelligence surrounding “Fintech Phantom” including TTPs, IoCs, and potential attack vectors that would be relevant to the company’s infrastructure.
    • Review the company’s network architecture diagrams and identify critical assets likely to be targeted.
    • Establish a baseline of normal network behavior for anomaly detection.
  • Incident Scenario Kick-off:
    • Simulate the discovery of a suspicious, encrypted outbound data flow from the trading algorithm servers, indicating potential exfiltration activities.
    • Inject artificial but realistic IoCs into the network traffic that align with the known tactics of “Fintech Phantom.”
  • Threat Hunting:
    • Deploy network scanning tools and host-based analysis to uncover any unrecognized services or unusual processes running on the trading servers.
    • Analyze firewall, IDS/IPS, and SIEM logs for signs of intrusion based upon provided threat intelligence.
    • Task the threat hunting team with identifying and investigating abnormal security events, escalating as necessary.
  • Identification and Containment:
    • Once suspicious activity is discovered, execute procedures to isolate affected systems and prevent further compromise.
    • Perform forensic analysis on any identified malware or tools used by the attackers to understand the scope of the breach.
  • Eradication and Recovery:
    • Outline steps to remove all traces of the attacker’s presence within the network following best practices and industry standards.
    • Implement measures to restore any impacted systems to normal operations with minimal disruption to business activities.
  • Lessons Learned:
    • Convene a debriefing session to review the exercise outcomes, including what was successfully identified, how the team responded, and areas for improvement.
    • Discuss how findings from the exercise can be used to refine existing security policies and preventive measures.
    • Document the entire exercise to serve as the base for future training initiatives and continuous improvement in the threat hunting process.