We want to stop being reactive and start "hunting" for APTs in our network. Everyone mentions the MITRE ATT&CK framework as the blueprint for this. How do we actually translate those theoretical techniques into a weekly hunting schedule? Should we focus on one specific tactic per week, like "Privilege Escalation," or is there a better way to prioritize which techniques to hunt for first?
3 answers
You should also check out the "Atomic Red Team" project. It lets you run small tests for each MITRE technique to see if your logs actually catch them.
Don't try to boil the ocean. Start with a "Gap Analysis" by mapping your existing log sources to the ATT&CK matrix. If you don't have logs for a specific technique, you can't hunt for it. Once mapped, prioritize by "Likelihood vs Impact." For most, focusing on the "Initial Access" and "Persistence" tactics provides the best ROI. A great weekly cadence is to pick one sub-technique—like "Scheduled Tasks" or "Process Injection"—research how it looks in your environment, and then write a query to find all instances that don't match your known-good baseline. This iterative approach builds your detection library over time.
Have you used the "ATT&CK Navigator" tool to visualize which groups are known to target your specific industry, such as finance or healthcare?
Samuel, I hadn't used the Navigator before you mentioned it—it's incredibly helpful for filtering out the noise! Rebecca, your "Gap Analysis" advice is what we were missing. We were trying to hunt for things we weren't even logging. We’ve decided to spend the next two weeks purely on "Persistence" techniques because we realized our logging of Registry changes was nearly zero. Once we fix the telemetry, we’ll start our weekly hunts. It feels much more scientific now than just "looking for weird stuff."
I agree with Logan. Testing your detections with Atomic Red Team is the best way to prove that your hunting queries actually work