Sherlocked Security – Threat Hunting Programs

Proactive Detection of Advanced Threats Lurking Inside Your Environment

1. Statement of Work (SOW)

Service Name: Threat Hunting Program Development & Execution
Client Type: Enterprises, Critical Infrastructure, Defense Contractors, MSSPs
Service Model: Retained, Recurring, or Project-Based
Compliance Alignment: NIST 800-61, MITRE ATT&CK®, ISO/IEC 27035, CISA Shields Up, CMMC

Threat Hunting Program Covers:

Development of tailored hunting hypotheses based on threat intel and risk models
Behavioral and anomaly-based hunt missions using endpoint, network, and cloud telemetry
Alignment with MITRE ATT&CK® techniques for adversary emulation
Identification of stealthy or low-signal attacker behaviors missed by traditional detections
Enrichment using threat intelligence feeds and historical artifacts
Integration with SIEM, EDR, and data lakes for scalable hunting
Actionable findings with remediation guidance and detection engineering feedback

2. Our Approach

[Threat Modeling] → [Hunt Hypothesis] → [Data Scoping] → [Query Execution] → [Anomaly Validation] → [Detection Development] → [Reporting & Feedback Loop]

3. Methodology

Threat Intelligence Ingestion
- Use internal and external threat intel (e.g., APT profiles, IOCs, TTPs) to guide hunting efforts.
Hypothesis Development
- Formulate proactive hunt hypotheses (e.g., "Lateral movement via SMB is occurring undetected").
Telemetry Mapping
- Identify available data sources across endpoints, network, cloud, identity systems.
Hunting Execution
- Write and execute hunt queries using SIEM, EDR consoles, or custom scripts.
TTP Correlation
- Map observed behaviors to MITRE ATT&CK to determine adversary techniques and coverage gaps.
Anomaly Investigation
- Validate anomalies, correlate artifacts, and enrich with context for triage and escalation.
Detection Engineering Feedback
- Propose new detection rules for SIEM/EDR based on findings.
Documentation & Debrief
- Deliver formal reports, hunting logs, and recommended response actions.

4. Deliverables to the Client

Hunt Hypothesis Logbook: Documented hunt missions, rationale, and mapped ATT&CK techniques
Threat Hunt Reports: Detailed breakdown of methods, indicators, findings, and context
Anomaly Detection Artifacts: Logs, scripts, or queries used for uncovering suspicious behavior
Detection Engineering Recommendations: SIEM/EDR rule suggestions for improved coverage
Gap Analysis: Highlighted telemetry blind spots and suggestions for sensor deployment
Executive Summary: Strategic-level presentation of findings, patterns, and mitigation priorities

5. What We Need from You (Client Requirements)

Access to Telemetry Sources: SIEM, EDR, DNS, proxy logs, identity providers, cloud logs
Threat Models & Risk Register: Understanding of high-risk assets and threat actors
Security Tool Access: Analyst permissions for log queries and visibility validation
Baseline Documentation: Information on normal operational behaviors and critical services
SOC/IR Team Contacts: Coordination with response teams for validating live anomalies

6. Tools & Technology Stack

SIEM Platforms: Splunk, Sentinel, QRadar, Elastic
EDR/XDR Tools: CrowdStrike, SentinelOne, Defender for Endpoint, Cortex XDR
Threat Intelligence: MISP, MITRE CTI, OpenCTI, VirusTotal, Anomali
Scripting/Query Tools: Sigma, Kusto Query Language (KQL), PowerShell, Jupyter Notebooks
Analytics Platforms: ElasticSearch, Kibana, AWS Athena, Azure Log Analytics

7. Engagement Lifecycle

Kickoff & Threat Profiling
Telemetry Availability Assessment
Hypothesis Creation & Prioritization
Data Mining & Anomaly Detection
Triage & Validation of Leads
Recommendations for Detections
Reporting & Post-Hunt Review
(Optional) Retainer-Based Quarterly Hunts

8. Why Sherlocked Security?

Feature	Sherlocked Advantage
Proactive Threat Detection	Go beyond alerts to uncover attacker presence in real time
MITRE ATT&CK-Driven	Align every hunt with adversary TTPs for high-value insights
Hunt-Ready Expertise	Veteran threat hunters with nation-state, APT, and red team insight
Customized Hypotheses	Based on client-specific threat models, telemetry, and business risk
Detection Feedback Loop	Turn hunt findings into long-term prevention through detection rules

9. Real-World Case Studies

Insider Threat Discovery in Financial Services

Client: Investment bank with global operations
Challenge: Suspicion of credential misuse by internal staff
Solution: Performed domain controller log analysis, AD anomaly correlation, PowerShell script detection
Outcome: Detected lateral movement pattern and unauthorized data access, leading to internal HR action

Stealth APT Activity in Cloud-Native Environment

Client: Cloud-first software provider
Challenge: EDR tools didn’t flag a persistent issue
Solution: Built hypothesis around C2 beaconing via cloud logs, used VPC flow logs and DNS telemetry
Outcome: Identified and removed dormant malware communicating with rare domains

10. SOP – Standard Operating Procedure

Identify Threat Model & Priorities
Formulate Hypothesis Based on TTPs
Query Logs for Behavioral Patterns
Filter and Validate Anomalies
Map to MITRE & Investigate Leads
Record Findings and Update Detection Stack
Report with Tactical and Strategic Recommendations
Retrospective Review and Adjust Next Hunt Cycle

11. Threat Hunt Program Readiness Checklist

1. Pre-Hunt

[ ] Confirm access to log and telemetry sources
[ ] Define critical assets and business risks
[ ] Identify known threats or suspected areas of concern
[ ] Gather threat intel subscriptions or indicators
[ ] Prepare baselining information for normal behavior

2. During Hunt

[ ] Execute hypotheses across datasets
[ ] Document anomalies and context
[ ] Validate findings with threat intelligence
[ ] Work with IR team on suspicious patterns
[ ] Log queries, filters, and pivot paths used

3. Post-Hunt

[ ] Deliver technical and executive-level reports
[ ] Recommend detection logic improvements
[ ] Suggest mitigation or hardening steps
[ ] Schedule next hypothesis cycle (monthly/quarterly)

Threat Hunting Programs