Managed Detection & Response (MDR)

Threat Hunting as a Service

  • May 9, 2025
  • 0

Sherlocked Security – Threat Hunting as a Service (THaaS)

Proactive threat discovery driven by TTPs, hypothesis-based investigation, and behavioral analytics.

1. Statement of Work (SOW)

Service Name: Threat Hunting as a Service (THaaS)
Client Type: Enterprise, Financial, Healthcare, Government, High-Security Environments
Service Model: Scheduled, Continuous, or On-Demand Threat Hunts
Compliance Alignment: NIST 800-53, MITRE ATT&CK, ISO 27001, HIPAA, PCI-DSS, CJIS

Scope of Work Includes:

  • Hypothesis-driven threat hunting across network, endpoint, cloud, and identity data
  • TTP and anomaly-based investigations aligned to MITRE ATT&CK
  • Detection of advanced persistent threats (APTs), lateral movement, and stealthy behaviors
  • IOC sweeps based on new threat intelligence or client concern
  • Enrichment of hunts with threat intel, asset context, and behavioral baselining
  • Reporting of findings, gaps, and recommended controls
  • Option to integrate with SIEM, EDR, NDR, or XDR platforms

2. Our Approach

[Threat Modeling] → [Hypothesis Building] → [Data Collection & Normalization] → [Behavioral Analytics & TTP Matching] → [Validation & Contextual Investigation] → [Reporting & Recommendations]

3. Methodology

  • Threat Model Development: Based on industry, assets, adversaries, and use cases
  • Hypothesis Construction: Example – "Attackers may persist using remote WMI scheduled tasks"
  • Data Source Mapping: Identify logs, telemetry, and sensors required to test hypothesis
  • Hunt Execution: Query, visualize, pivot across telemetry to uncover suspicious behavior
  • IOC/TTP Matching: Enrich hunts with threat intel and MITRE alignment
  • Evidence Collection: Log extracts, PCAPs, screenshots, timelines
  • Reporting: Detailed findings, narrative, impact, and remediation suggestions
  • Repeat: Monthly or quarterly cycles with new threat scenarios and adversary emulation

4. Deliverables

  • Threat Hunting Plan and Hypothesis Workbook
  • Hunting Query Scripts and Visualizations
  • Detailed Hunt Reports with Findings & Recommendations
  • TTP Mapping and MITRE Coverage Matrix
  • Incident Timelines and IOC Lists (when applicable)
  • Metrics: Detection Coverage, Asset Exposure, Time-to-Hunt

5. Client Requirements

  • Access to relevant telemetry (endpoint, identity, cloud, network logs)
  • SIEM/XDR/EDR/NDR platform for querying or support from MSSP/SOC
  • Point of contact for data validation and escalation
  • Approval to use threat intel sources, simulators, and red team tools
  • Defined frequency (monthly, quarterly, on-demand)
  • Scope confirmation (entire org vs crown-jewel assets vs specific vector)

6. Tooling Stack

  • Data Platforms: Splunk, Sentinel, Elastic, Chronicle, QRadar, Azure Data Explorer
  • EDR/NDR: CrowdStrike, Defender, Carbon Black, Palo Alto Cortex, Zeek, Darktrace
  • Hunting Frameworks: MITRE ATT&CK, Sigma, ThreatHunter-Playbook, Uncoder.IO
  • Query Languages: KQL, SPL, Lucene, SQL, YARA-L, Sigma
  • Intel Sources: MISP, OTX, GreyNoise, AbuseIPDB, AnyRun, VirusTotal
  • Visualization Tools: Kibana, Power BI, Sigma UI, Jupyter Notebooks

7. Engagement Lifecycle

  1. Kickoff and Threat Model Alignment
  2. Hypothesis Generation (TTP + asset-based)
  3. Data Access Setup
  4. Hunt Execution (Query → Investigate → Document)
  5. Findings Report and Client Review
  6. Remediation Suggestions and Detection Feedback
  7. Continuous Hypothesis Refinement

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Hypothesis-Driven Model Structured approach to threat discovery beyond alert fatigue
Cross-Domain Visibility Hunt across endpoint, identity, cloud, SaaS, and network datasets
Behavioral + Threat Intel Combine anomalies with IOC and TTP knowledge for deeper coverage
Adversary Mapping Each hunt linked to specific MITRE techniques and real-world threat actors
Tooling Flexibility Integrates with client’s existing SIEM, EDR, and cloud monitoring solutions

9. Sample Use Cases

Use Case 1: Credential Abuse via Cloud Console

Hypothesis: Attackers may access cloud consoles with stolen tokens or misconfigured service accounts.
Hunt: Investigate logins with uncommon user agents, countries, or disabled 2FA.
Outcome: Identified long-lived tokens used outside geo-fence; tokens revoked.

Use Case 2: Lateral Movement using SMB and PsExec

Hypothesis: Internal lateral movement may be occurring through file share access and remote execution.
Hunt: Correlate PsExec-like behavior with SMB and WMI logs.
Outcome: Lateral toolset discovered on a forgotten admin workstation.

10. Threat Hunting Readiness Checklist

Pre-Hunt Setup

  • [ ] Confirm scope of threat hunt (network, cloud, endpoint, IAM, OT)
  • [ ] Grant access to data repositories (SIEM, EDR, cloud logs)
  • [ ] Identify data owners and SMEs for support
  • [ ] Verify log coverage and retention (e.g., 30, 90, 180 days)
  • [ ] Validate identity context in logs (user IDs, roles, mappings)
  • [ ] Asset tagging confirmed (criticality, location, function)
  • [ ] Threat model documented (who might attack, what they want, how they might try)
  • [ ] MITRE ATT&CK mapping initiated to prioritize TTPs
  • [ ] Past incidents reviewed to build hunting hypotheses
  • [ ] Threat intel feeds integrated or available

During the Hunt

  • [ ] Hypotheses documented and ranked by risk/exposure
  • [ ] All hunting queries saved and version-controlled
  • [ ] IOC sweeps executed against current and historical data
  • [ ] Endpoint and identity anomalies correlated with user behavior
  • [ ] Use of multi-factor bypass, unusual browser/UAs, or VPN access logged
  • [ ] Session timelines constructed for suspicious users/assets
  • [ ] Pivot queries based on alerts, context, or peer behavior
  • [ ] PCAP or EDR process tree reviewed for outliers
  • [ ] Threat actor TTP alignment (e.g., TA505, APT29, UNC groups)
  • [ ] Validation with SMEs for suspected compromises

Post-Hunt

  • [ ] Findings compiled with evidence, affected assets, and user accounts
  • [ ] Executive summary and remediation checklist delivered
  • [ ] IOC lists provided for SIEM/XDR watchlists
  • [ ] Detection content recommended or tuned
  • [ ] Control gaps highlighted (e.g., logging disabled, MFA gaps)
  • [ ] Client threat posture score updated
  • [ ] Detection playbooks enriched with new scenarios
  • [ ] Lessons learned fed back into hunting hypothesis backlog

Continuous Improvement

  • [ ] Quarterly red/blue teaming feedback integrated into hunts
  • [ ] New TTPs and malware behaviors tracked (e.g., LOLBins, cloud abuse)
  • [ ] Automate repeatable queries and dashboards
  • [ ] Internal training or tabletop exercises based on hunt results
  • [ ] Update asset inventory and tagging with hunt outcomes
  • [ ] Document adversary emulation plans for next hunting cycle
Wireless Security & Rogue Access Point (AP) Detection
24x7 SOC as a Service