Threat hunting is at its best when it’s curious, creative, and proactive. But if your hunts aren’t grounded in your organizational reality, you’re going to spend your time like Velma with the rest of the gang asking “why are you hunting for malware that targets grocery stores in North Korea when we work at Tim’s HVAC in Colorado?”

We don’t want to kill creativity, but we do want to make sure the time you spend thrunting turns into something that the business cares about and celebrates. Purpose doesn’t get in the way of the hunt. It sharpens it.

Introducing… ✨Threat Hunting Relevancy Factors (THRF)✨.

THRF are key relevancy factors that can become a multiplier to the impact of your hunt, and make sure you spend time with 20/20 vision.

Threat Hunting Relevancy Factors

Threat Hunting Relevancy Factors (THRF) can help guide your hunts to make the most impact for your organization and justify why you chose to hunt what you did. Scoping your hunt with one or more THRF

We'll start with five core factors that are easy and should always be considered in your hunt scoping, and then we will talk about five advanced factors that you may need additional teams and data to incorporate.

🏭 Industry

Your business model shapes your threat model. Whether you're in finance, manufacturing, healthcare, or retail, the nature of your services, customer base, and supply chain should influence what you prioritize. Hunting threats that occur in your industry ensures that you learn from the pain of your peers using the probability that you will be targeted by similar threats. If you are looking for a great place to start hunting, look no further than your neighbor.

🌍 Geolocation

Like it or not, where you operate matters. Threat actors often target specific regions. Things like legal jurisdictions can introduce risk, or geopolitical tension can put unexpected pressure on your environment. If your operations are hyperlocal, don’t seek global threats, look only to the level that makes sense for your organization. Geographic related threats are getting harder and harder to hunt as physical boundaries disappear with cyber attacks, but if you don’t operate in Europe, there is still some chance you won’t see the same threats as your European counterparts.

🖥️ Technology Stack

Your hunt should reflect your reality. Focus on the platforms, cloud services, endpoint agents, and technology that actually exist in your environment, not the ones a vendor report assumes you have. If you run G-Suite for your email stack, hunting Exchange vulnerability exploits is going to be a waste of your time. This is a good excuse to make sure you have an up to date inventory of all the tech running in your environment, too.

👑 Crown Jewels

What are you trying to protect? This includes critical applications, sensitive data, key personnel, or operational processes that represent high-value targets for attackers. These are what make you money and if you lose them, your business is in capital T trouble. Hunting attacks against crown jewels can be long and tricky, especially if uptime is a crucial part of that system. These should be infrequent, well-planned, and communicated to leadership in order to reduce potential impact.

📈 Trends and Signals

Generally, you will hear people say threat hunting is proactive and should not cross into reactive work. If you are just getting started in threat hunting, looking into existing IR activity, SOC trends, historic red team reports, or even just talking to an analyst can yield fertile ground for hunting that may go overlooked. If you can figure out why the SOC is getting 60 alerts a month from one host and it ends up yielding a larger attack chain, you are creating measurable change for your organization. Of course, speak with your reactive leaders to ensure you aren’t stepping on any toes. We are all in this together.

Those core factors can help you add relevancy to your threat hunts and ensure your efforts are felt throughout the business. But what if you are doing this already? What other THRF can you look into to ensure that what you are hunting matters?

🧠 Cyber Threat Intelligence

Incorporating your CTI program and knowledge into your threat hunts will supercharge your team. Many of your hunts may end up using external CTI as starting points, but what about the internal intelligence generated by your program? To take it a step further, tying your hunts to active campaigns, TTPs of interest for your organization, or specific threat actors can make executives go wild. Nothing is better than a CISO being able to tell the CEO how her program is already hunting for Scattered Spider after the CEO saw it in the paper that morning.

🌐 Attack Surface

More partnering with peer organizations! (Are you sensing a trend here?) Hunting based on your attack surface can give you an idea of where your soft underbelly might have led to compromise. This pairs nicely with the Technology Stack factor, but challenges you to go further and explore parts of your environment that are exposed, underprotected, or poorly understood.

This includes internet-facing assets, third-party dependencies, legacy systems, and anything shadow IT adjacent.

🔄 Business Events

Big changes mean big risks. Mergers and acquisitions, divestitures, cloud migrations, reorgs, or large-scale onboarding/offboarding cycles can open the door to novel threats or mistakes. Hunting in areas where these are occurring or for TTPs that leverage these events can often yield attacks that would have taken months to discover.

⚖️ Regulatory and Legal Obligations

Sometimes relevance comes from outside. While not as flashy as technical hunts, compliance-driven hunts can protect your organization in a very real way. Looking at data handling, privacy issues, or even how technical controls are applied in a regulatory lens can save your business very real dollars in the long run, and potentially save teams time in trying to dig up evidence for regulators regarding compliance.

🧾 Audit Findings and Known Risks

If your audit team has flagged a gap, hunt it. Work with the business partners assigned these risks in the risk register and help them understand how this risk could be exploited and why their collaboration on addressing it is so important. Many times, these are issues you've already acknowledged but may not have resolved. Hunts in this space show the program is helping close the loop, instead of generating more work.

Bring It Around Town

The best hunts are often not the most complex. They are the ones most connected to your organization’s reality. When your hunt ties into what matters, whether that is your risks, your systems, or your threat landscape, it becomes easier to defend your time, communicate your value, and improve your overall security posture. Relevancy is not a bonus. It is the difference between a side project and a hunt that actually makes your program better. Using THRF, you can stack relevancy points like damage modifiers and smite threats from your organization with ease.

Leave a comment