David Bianco — Threat Hunting Frameworks
Overview
David Bianco is a SANS instructor with 20+ years in information security, primarily in detection and response. He created two foundational frameworks: the Pyramid of Pain (2013), which prioritizes indicators by adversary impact, and the Threat Hunting Maturity Model, which guides organizations in building hunting capability.
References
-
Pyramid of Pain: Original 2013 blog post, SANS documentation
-
Threat Hunting Maturity Model: SANS whitepaper
Core Philosophy
"The more pain you cause adversaries, the more effective your detection."
"Hunting is not about finding evil—it's about finding evil that your automated defenses missed."
Bianco's insight: not all indicators are equal. Detecting hash values is trivial for adversaries to evade; detecting their tactics, techniques, and procedures (TTPs) forces them to fundamentally change how they operate.
The Pyramid of Pain
/\
/ \
/ TT \ ← TTPs: Tough! Adversary must change behavior
/ Ps \
/--------\
/ Tools \ ← Tools: Annoying. Must find/create new tools
/------------\
/ Network/Host \ ← Artifacts: Irritating. Must reconfigure
/ Artifacts \
/------------------\
/ Domain Names \ ← Domains: Simple. Register new ones
/----------------------\
/ IP Addresses \ ← IPs: Easy. Change infrastructure
/--------------------------\
/ Hash Values \ ← Hashes: Trivial. Recompile
/------------------------------\
Level Details
Level Indicator Type Adversary Pain Detection Value
1 Hash Values Trivial Low
2 IP Addresses Easy Low
3 Domain Names Simple Medium
4 Network/Host Artifacts Annoying Medium
5 Tools Challenging High
6 TTPs Tough! Highest
Threat Hunting Maturity Model
Level 0: Initial ├── Relies primarily on automated alerting ├── Little to no routine data collection └── Hunting: None
Level 1: Minimal
├── Incorporates threat intelligence indicators
├── Moderate data collection
└── Hunting: IOC searches only
Level 2: Procedural ├── Follows procedures from others ├── High/very high data collection └── Hunting: Follows published playbooks
Level 3: Innovative ├── Creates new procedures ├── High/very high data collection └── Hunting: Creates original hypotheses
Level 4: Leading ├── Automates successful hunts ├── Very high data collection └── Hunting: Continuous, automated
When Implementing
Always
-
Prioritize TTP-based detections over IOC matching
-
Measure detection effectiveness by adversary pain
-
Document and share successful hunt methodologies
-
Automate proven hunts into continuous detection
-
Assess your organization's hunting maturity honestly
Never
-
Rely solely on hash-based detection
-
Treat all indicators as equally valuable
-
Hunt without a hypothesis
-
Fail to document findings
-
Ignore organizational maturity constraints
Prefer
-
Behavioral detection over signature matching
-
Hypothesis-driven hunts over random searching
-
Automated continuous hunting over periodic campaigns
-
TTP mapping over IOC collection
-
Detection as code over manual rule creation
Implementation Patterns
Pyramid-Aware Detection Strategy
detection_strategy.py
Prioritize detections by Pyramid of Pain level
from dataclasses import dataclass from enum import IntEnum from typing import List, Optional
class PyramidLevel(IntEnum): """Pyramid of Pain levels - higher = more valuable""" HASH_VALUES = 1 IP_ADDRESSES = 2 DOMAIN_NAMES = 3 ARTIFACTS = 4 # Network/Host artifacts TOOLS = 5 TTPS = 6
@dataclass class Detection: """A detection rule with pyramid classification""" name: str description: str level: PyramidLevel mitre_technique: Optional[str] query: str false_positive_rate: float
@property
def adversary_pain(self) -> str:
pain_map = {
PyramidLevel.HASH_VALUES: "Trivial - recompile",
PyramidLevel.IP_ADDRESSES: "Easy - change infrastructure",
PyramidLevel.DOMAIN_NAMES: "Simple - register new domains",
PyramidLevel.ARTIFACTS: "Annoying - reconfigure tools",
PyramidLevel.TOOLS: "Challenging - find/create new tools",
PyramidLevel.TTPS: "Tough - must change tradecraft"
}
return pain_map[self.level]
@property
def priority_score(self) -> float:
"""Higher score = better detection to invest in"""
# Weight by pyramid level, penalize false positives
return (self.level.value * 10) * (1 - self.false_positive_rate)
class DetectionPortfolio: """Manage detections with pyramid awareness"""
def __init__(self):
self.detections: List[Detection] = []
def add(self, detection: Detection):
self.detections.append(detection)
def coverage_by_level(self) -> dict:
"""Assess coverage at each pyramid level"""
coverage = {level: [] for level in PyramidLevel}
for det in self.detections:
coverage[det.level].append(det.name)
return coverage
def maturity_assessment(self) -> str:
"""Assess detection maturity based on pyramid distribution"""
coverage = self.coverage_by_level()
ttp_count = len(coverage[PyramidLevel.TTPS])
tool_count = len(coverage[PyramidLevel.TOOLS])
ioc_count = (len(coverage[PyramidLevel.HASH_VALUES]) +
len(coverage[PyramidLevel.IP_ADDRESSES]) +
len(coverage[PyramidLevel.DOMAIN_NAMES]))
total = len(self.detections)
if total == 0:
return "No detections - Level 0"
ttp_ratio = (ttp_count + tool_count) / total
if ttp_ratio > 0.5:
return "Mature - Strong TTP focus"
elif ttp_ratio > 0.25:
return "Developing - Building TTP coverage"
else:
return "Immature - Over-reliant on IOCs"
def improvement_recommendations(self) -> List[str]:
"""Suggest where to invest detection effort"""
coverage = self.coverage_by_level()
recommendations = []
if len(coverage[PyramidLevel.TTPS]) < 10:
recommendations.append(
"Priority: Add more TTP-based detections. "
"These cause maximum adversary pain."
)
if len(coverage[PyramidLevel.TOOLS]) < 5:
recommendations.append(
"Add tool-based detections for common attack frameworks "
"(Cobalt Strike, Mimikatz, etc.)"
)
ioc_count = (len(coverage[PyramidLevel.HASH_VALUES]) +
len(coverage[PyramidLevel.IP_ADDRESSES]))
if ioc_count > len(self.detections) * 0.5:
recommendations.append(
"Warning: Over 50% of detections are low-value IOCs. "
"Consider retiring stale IOC rules."
)
return recommendations
Example: TTP-level detection
ttp_detection = Detection( name="Suspicious PowerShell Download Cradle", description="Detects PowerShell download and execute patterns", level=PyramidLevel.TTPS, mitre_technique="T1059.001", query=""" process_name:powershell.exe AND (command_line:DownloadString OR command_line:IEX OR command_line:Invoke-Expression) """, false_positive_rate=0.05 )
Example: Hash-level detection (low value)
hash_detection = Detection( name="Known Malware Hash", description="Matches specific malware sample hash", level=PyramidLevel.HASH_VALUES, mitre_technique=None, query="file_hash:e99a18c428cb38d5f260853678922e03", false_positive_rate=0.001 )
Hunting Maturity Assessment
maturity_model.py
Assess and improve threat hunting maturity
from dataclasses import dataclass from enum import IntEnum from typing import List
class HuntingMaturityLevel(IntEnum): INITIAL = 0 # Relies on automated alerts MINIMAL = 1 # IOC searches PROCEDURAL = 2 # Follows playbooks INNOVATIVE = 3 # Creates new procedures LEADING = 4 # Automates hunts
@dataclass class MaturityAssessment: """Evaluate hunting program maturity"""
# Data Collection
has_endpoint_telemetry: bool
has_network_telemetry: bool
has_cloud_telemetry: bool
data_retention_days: int
# Hunting Practice
has_dedicated_hunters: bool
hunts_per_month: int
uses_threat_intel: bool
documents_hunts: bool
automates_successful_hunts: bool
creates_original_hypotheses: bool
# Infrastructure
has_hunting_platform: bool
has_playbook_library: bool
measures_hunt_effectiveness: bool
def calculate_level(self) -> HuntingMaturityLevel:
"""Determine maturity level"""
# Level 4: Leading
if (self.automates_successful_hunts and
self.creates_original_hypotheses and
self.measures_hunt_effectiveness and
self.hunts_per_month >= 8):
return HuntingMaturityLevel.LEADING
# Level 3: Innovative
if (self.creates_original_hypotheses and
self.documents_hunts and
self.hunts_per_month >= 4):
return HuntingMaturityLevel.INNOVATIVE
# Level 2: Procedural
if (self.has_playbook_library and
self.has_dedicated_hunters and
self.hunts_per_month >= 2):
return HuntingMaturityLevel.PROCEDURAL
# Level 1: Minimal
if self.uses_threat_intel:
return HuntingMaturityLevel.MINIMAL
# Level 0: Initial
return HuntingMaturityLevel.INITIAL
def roadmap_to_next_level(self) -> List[str]:
"""What's needed to advance"""
current = self.calculate_level()
if current == HuntingMaturityLevel.INITIAL:
return [
"Implement threat intelligence feeds",
"Begin IOC-based hunting",
"Ensure basic telemetry collection",
"Identify potential hunting analysts"
]
elif current == HuntingMaturityLevel.MINIMAL:
return [
"Develop or adopt hunting playbooks",
"Dedicate analyst time to hunting",
"Increase data collection coverage",
"Hunt at least 2x per month"
]
elif current == HuntingMaturityLevel.PROCEDURAL:
return [
"Train hunters to create original hypotheses",
"Document all hunt findings",
"Begin measuring hunt effectiveness",
"Increase hunt frequency to 4x/month"
]
elif current == HuntingMaturityLevel.INNOVATIVE:
return [
"Automate successful hunts into detections",
"Build metrics dashboard for hunting",
"Share methodologies with community",
"Achieve continuous hunting capability"
]
return ["You've achieved hunting mastery! 🏆"]
TTP-Based Hunt Design
ttp_hunt.py
Design hunts that target TTPs (maximum pain)
from dataclasses import dataclass from typing import List, Dict
@dataclass class TTPHunt: """A hunt targeting specific adversary TTPs"""
name: str
hypothesis: str
mitre_tactic: str
mitre_techniques: List[str]
# Data requirements
required_telemetry: List[str]
# Hunt queries
queries: Dict[str, str] # platform -> query
# Expected findings
expected_benign: List[str]
indicators_of_compromise: List[str]
# Documentation
references: List[str]
def to_playbook(self) -> str:
"""Generate hunt playbook"""
playbook = f"""
Hunt Playbook: {self.name}
Hypothesis
{self.hypothesis}
MITRE ATT&CK Mapping
- Tactic: {self.mitre_tactic}
- Techniques: {', '.join(self.mitre_techniques)}
Required Telemetry
{chr(10).join(f'- {t}' for t in self.required_telemetry)}
Hunt Queries
"""
for platform, query in self.queries.items():
playbook += f"### {platform}\n\n{query}\n\n\n"
playbook += f"""
Expected Benign Activity
{chr(10).join(f'- {b}' for b in self.expected_benign)}
Indicators of Compromise
{chr(10).join(f'- {i}' for i in self.indicators_of_compromise)}
References
{chr(10).join(f'- {r}' for r in self.references)} """ return playbook
Example: Credential Dumping Hunt (TTP-level)
credential_dump_hunt = TTPHunt( name="LSASS Memory Access", hypothesis="Adversaries are accessing LSASS memory to dump credentials", mitre_tactic="Credential Access", mitre_techniques=["T1003.001"], required_telemetry=[ "Process creation with command line", "Process access events (Sysmon Event 10)", "Memory read operations" ], queries={ "Splunk": """ index=windows sourcetype=sysmon EventCode=10 TargetImage="lsass.exe" NOT SourceImage IN ("\\MsMpEng.exe", "*\\csrss.exe") | stats count by SourceImage, SourceProcessGUID | where count > 1 """, "Elastic": """ event.code:10 AND process.target.name:lsass.exe AND NOT process.name:(MsMpEng.exe OR csrss.exe) """ }, expected_benign=[ "Windows Defender (MsMpEng.exe)", "Antivirus products", "Crash dump utilities" ], indicators_of_compromise=[ "procdump.exe accessing lsass.exe", "mimikatz.exe or renamed variants", "comsvcs.dll MiniDump export", "Unknown processes accessing lsass.exe" ], references=[ "https://attack.mitre.org/techniques/T1003/001/", "https://www.microsoft.com/security/blog/credential-theft/" ] )
Mental Model
Bianco approaches threat hunting by asking:
-
What pyramid level is this? Prioritize TTP-based detection
-
What pain does this cause? Measure detection value by adversary impact
-
What's our maturity level? Match hunting to organizational capability
-
Can we automate this? Successful hunts become continuous detection
-
What did we learn? Every hunt improves the program
Signature Bianco Moves
-
Pyramid of Pain for indicator prioritization
-
Maturity model for program development
-
TTP focus over IOC collection
-
Hypothesis-driven hunting
-
Automation of proven hunts
-
Continuous improvement mindset