Threat intelligence gathers and contextualizes external data about who might attack, their motives, and relevant indicators, while threat hunting proactively searches internal environments for hidden or ongoing intrusions that defenses missed. Together they form a feedback loop that improves detection, prioritization, and response by enriching hunts with intelligence and feeding findings back into intelligence programs. #RecordedFuture
Keypoints
- Threat intelligence and threat hunting are distinct but complementary: intelligence focuses on external threats and context, while hunting focuses on finding threats already inside the environment.
- Threat intelligence workflows include collecting raw IOCs, analyzing and contextualizing data, and disseminating actionable intelligence to defenders and decision-makers.
- Threat hunting is a hypothesis-driven, human-led practice using SIEM, EDR, and network tools to search for anomalies, TTPs, and stealthy compromises.
- Integrating threat intelligence into hunting guides hypotheses, provides high-confidence IOCs, and enriches findings to speed investigations and improve prioritization.
- Combining both disciplines reduces dwell time, improves alert triage, strengthens resilience, and enables adaptive, intelligence-driven defense across teams and tools.
- Recorded Future’s Intelligence Cloud centralizes real-time threat data from open web, dark web, and technical sources and integrates with SIEM, EDR, and SOAR to operationalize intelligence-driven hunting.
- Best practices for integration include clear communication between teams, automated enrichment of logs and alerts, and continuous iterative hunting informed by updated intelligence.
MITRE Techniques
- [T1566 ] Phishing – Threat intelligence collects phishing emails as IOCs and shares them for detection and hunting: “pull in indicators of compromise (IOCs), like malicious IPs, domains, malware hashes, phishing emails, and more.”
- [Tactics: TA0001 TA0003 ] Initial Access / Persistence – Threat hunting tracks TTPs using frameworks like MITRE ATT&CK to look for evidence of tactics and persistence: “Tracking TTPs using frameworks like MITRE ATT&CK and looking for evidence of specific tactics.”
- [T1059 ] Command and Scripting Interpreter – Threat hunters leverage scripts and automation (machine learning and analytics) to surface unusual patterns across large data sets: “Leveraging machine learning and advanced analytics to help surface unusual patterns across large data sets.”
- [T1078 ] Valid Accounts – Behavioral analysis and anomaly detection are used to identify suspicious user patterns that may indicate credential misuse: “behavioral analysis (identifying suspicious patterns in system or user behavior) and anomaly detection.”
- [T1087 ] Account Discovery – Threat hunters search for known IOCs and signs of internal reconnaissance as part of iterative hunting: “Searching for known IOCs based on threat intelligence” (used to find internal indicators and reconnaissance activity).
Indicators of Compromise
- [File names / Artifacts ] Examples referenced as types used by intelligence – phishing emails, malware hashes (example: “malware hashes”), and other artifacts.
- [Domains/IPs ] Types collected by threat intelligence – malicious domains and IP addresses (example: “malicious IPs, domains”).
- [TTPs ] Techniques and procedures used to guide hunts – examples include tracked TTPs via MITRE ATT&CK and behaviors from phishing campaigns.
- [Log events / Enriched alerts ] Contextualized telemetry used in hunting and triage – risk-scored log events in SIEM dashboards and enriched alerts for prioritization.
Read more: https://www.recordedfuture.com/blog/threat-hunting-vs-threat-intelligence