• 22 June, 2025
• No Comments

Threat Hunting, SOC, and MITRE ATT&CK: A Shift from Reactive to Proactive Security

Here I sit, my third coffee in hand, and I’m still buzzing about the hardware I saw there at the hardware hacking village. If you’re curious why I’m excited, though—well, it’s this: Because threat hunting is changing, moving from being reactive to proactive security—and as far as I’m concerned, that’s the game changer when it comes to what organizations face today.

I’ve been working in the trenches since the early 2000’s–i started in ’93 as a network admin supporting networks and mux equipment for voice and data over PSTN. I have seen attacks evolve — too, in the sense of no longer just the Slammer worm’s wrecking everything that we experienced in 2003 to today’s sophisticated attacks on banks where I recently assisted three financial institutions rejigger their zero-trust architectures.

Reactive vs Proactive Security

Let’s be real. Classical security has been a mostly responsive. You discover, react, and fix. It’s like waiting until you’ve already hit a pothole to fix a flat tire. That’s how most Security Operations Centers have functioned for years — alerts come in, then you chase down the cause and try to stop the bleeding. Not wrong. But not good enough anymore.

Preemptive security means predicting the future. Threat hunting turns this around — it doesn’t rely on alarms. It looks for precursor signs that the alert systems could miss: Here’s the thing:

• Automated alerts are needlessly noisy.
• Attackers are smarter than your rules engine.
• If you’re waiting for an alert, it’s too late.

Back in 2003, when I first witnessed Slammer worm going town, it was a sudden explosion, the days after were spent in panic reactive patching. Today? Threat hunting would have looked for indicators before SLammer became a Blizzard.

And yes, some say that threat hunting is resource-intensive. To that, all I can say is: Not skipping it is infinitely more expensive. Particularly when you’re guarding data gold mines like banks.

Threat Hunting Methodology

Threat hunting is not a magic wand you wave after a breach, it’s a disciplined process. Here’s how I break it down:

1. Hypothesis Generation — Ask Yourself What You Are Looking For – First question everything you come across. Perhaps it’s weird DNS requests, or lateral movement within the network. This hypothesis could originate from intel feeds, insights on the MITRE ATT&CK framework, or your gut (which is invaluable).
2. Data Collection – You require good data to prove or disprove your hypotheses. Logs, endpoint telemetry, network traffic — all the coffee grounds you need.
3. Analyzing – Now use your toolkit to inspect that data – look for outliers, trends, variations, or look for Indicators of Compromise (IOCs).
4. Research: Confirming suspicious conditions, cascading up, and resolving.
5. Feedback Loop – Each hunt is a lesson. Refresh your detection rules, tools and assumptions.

I was recently coaching a small SOC team —their biggest obstacle? Forming solid hypotheses. “Without a good question, our threat hunting work is like sifting haystacks.

Key Tools and Data Used

A million-dollar SOC is not for everyone. But the basics? And the tools to begin are low-cost, if not free. A few essentials:

• SIEM (Security Information and Event Management) for the log aggregation—from network devices, firewalls and servers.
• Endpoint Detection and Response (EDR) products that burrow further down at the device level.
• Network Traffic Analysis Tooling that provides insight to internal traffic movement.
• MITRE ATT&CK Framework: The tree of adversary tactics and techniques for forming hypotheses and connecting data to existing attack patterns.

And don’t forget about trusty syslogs, and Windows Event Logs, — goldmines of clues.

Some more advanced hunters can also apply AI-powered anomaly detection – but here’s when I start to get skeptical. AI-driven is thrown around so casually, in many cases it’s little more than glorified pattern matching with absolutely no context. Human intuition good for hunting and AI support, not AI-only.

Developing Hunting Hypotheses

Did I tell you? — theories are the essence of threat hunting. Wanna start one? Here’s a cooking analogy (pretend you are a cook who needs to sniff out ingredients that have gone bad).

So choose a flavor profile that interests you but looks suspect (weird login times), or a smell that seems out of place (outbound spikes), and test if it’s actually gone bad or just a new spice.

Some example hypotheses:

• Any employee logins outside of business hours could be compromised credentials.
• Mysterious PowerShell launch that may be related to malware.
• Way too many failed auths it could be bruteforce.

Adopting MITRE ATT&CK allows you to form hypotheses about a specific adversary techniques for example:

• T1059: Command and Scripting Interpreter
• T1071 Application Layer Protocol

You search for these activities in logs and network traffic.

Novice teams could concentrate on so-called high-signal, low-noise hunts — for phishing attempts or suspicious file downloads, for example. Advanced teams? Pursuing new malware C2 points and fileless attacks.

Threat Hunting for the Little Guys

If you are a small security team or a security-minded small-to-medium-sized business, listen, I am on your wavelength. You may not have a SOC, let alone a battalion of analysts.

Here’s what I recommend:

• Start simple. Check your Firewall and IDS logs daily.
• Employ open-source utilities such as OSQuery for endpoint visibility.
• Integration with MITRE ATT&CK Lite for classifying common threats specific to your industry.
• Develop a routine for threat hunting — this can be as little as once a week for 1–2 hours.
• Automate what you can but ‘keep a manual eye on anomalies.’

When I was up in the early days of my company, our tools were primitive but curiosity limitless. A reliable drive doesn’t require a Rolls-Royce; sometimes a well-maintained old sedan can exceed your expectations.

Assessing the Hunting Efficiency

What can’t be measured can’t be improved. Hunting effectiveness is a bit tricky — because we’re not just counting alerts, but misses and how well our hunts are reducing dwell time.

Metrics I track:

• Number of hunts performed
• The proportion of hunts that discovered confirmed threats
• Time when hypothesis to remediation is needed
• Less and less false positive over time

And—this is an important one—how much hunting contributes to the overall security posture, for example, by contributing to your SOC’s detection rules.

Here’s a hot one: some teams get hung up on KPIs that look good on paper but do not correlate with real security improvements. Quality over quantity all the way.

Quick Take

• Reactive = tire repair after the blowout; Proactive = pre-checking your tires for every drive.
• Threat hunting is as much an art as it is a science. The hypotheses inform your research.
• Leverage MITRE ATT&CK as your hunting playbook.
• Begin hunting even in small parties with simple logs and tools.
• Do not blindly trust AI-based solutions; human intuition counts.
• Judge success not by how many hunts but by how many real threats you actually catch and stop.

That Time I worked with the Slammer worm? The chaos ends up being the perfect reminder that you want to be on top of the threat.

And that’s why I’m convinced that threat hunting isn’t a luxury—it’s a requirement for organizations who are serious about security.

If your team isn’t hunting, it’s fishing in a net and hoping to catch something. Hunting is all about being the one with the eyes wide open.

As always, if you need a hand building or up-leveling your hunting skills — or just want to hear me rant about password policies or zero trust — I’m here for you.

Until next coffee break,

Sanjay Seth
P J Networks Pvt Ltd

Cybersecurity consultant since the days before cyber became a buzzword, when the networks were less complex but the threats were just as serious.