DATASHEET-20181102 COPYRIGHT © 2018 NETMONASTERY NSPL. All rights reserved. 

The ​Threat Hunting Maturity 

Model 
Introduction to threat hunting and setting up your own 
hunting program 
 

 
The Threat Hunting Maturity Model 
 
 

Table of Contents 
What is threat hunting? 3 

The Hunting Maturity Model (HMM) 4 

Level 0 5 

Level 0 in DNIF 6 

Level 1 8 

Level 1 in DNIF 9 

Level 2 10 

Level 2 in DNIF 10 

Level 3 11 

Level 3 in DNIF 12 

Level 4 14 

Level 4 in DNIF 15 

 

   

 
2 
The Threat Hunting Maturity Model 
 
 

As threat levels rise in the world of cybersecurity, many organizations are 

quickly realizing that threat hunting is essential to the success of every modern 
security operations center (SOC). On the other hand, not many organizations 
are sure of how or where to begin threat hunting, or how far along they are in 
their own threat hunting capabilities. In fact, there is still a lot of confusion 
floating around the term: is it a process? a technology? something else? Before 
we go any further, let’s take a moment to understand what exactly threat 
hunting is. 

What is threat hunting? 

At our last D
​ NIF Konnect meetup​, we had a poll asking people whether they 
thought their organization engaged in threat hunting. Here are the results: 

At our last DNIF Konnect meetup, we had a poll asking people whether they 
thought their organization engaged in threat hunting. Here are the results: 

This shows us that the field is growing and gaining popularity in the industry. 
Threat hunting​ can be described as the process of proactively searching 
through networks and host data to detect and (where applicable) eliminate 
attackers from networks and hosts. Contrary to the usual approaches, threat 
hunting combines the use of threat intelligence, analytics and security tools 
with human skills. 

In his presentation, Ankit Panchaal explained that while tools are important, 
threat hunting is not specific to any particular technology (read our blog ​Five 
Levels Of Threat Hunting: Key Takeaways From DNIF Konnect 2​ to know 
 
3 
The Threat Hunting Maturity Model 
 
 

more). Instead, it is a process of knowing what signs to look for, when to look 
for them and where to find them. It emphasizes applying human skills and 
knowledge to seek out malicious activity that hasn’t already been identified by 
other detection techniques.

The Hunting Maturity Model (HMM) 

Like any new process, implementing a threat hunting system takes time to get 
it right. The speed of adoption is one of the most common issues that arise 
when organizations attempt to implement threat hunting. It takes patience and 
a carefully calculated plan to establish an efficient threat hunting program. One 
tool that can help you assess your current hunting capabilities and determine 
your next step in expanding them is the Hunting Maturity Model (HMM), 
developed by Sqrrl’s security technologist and hunter, David Bianco. 

Source: ​Sqrrl Threat Hunting Maturity Model 

The HMM describes five levels of hunting capabilities, ranging from HM0 (least 
capable) to HM4 (most capable) depending on the following three factors: 

● The quantity and quality of the data collected by the organization regularly 
● The tools used to analyze the data 
● The skills of the analysts who actually use the data 

 
4 
The Threat Hunting Maturity Model 
 
 

Of all these factors, analysts’ skills are the most important, since those skills 
are what helps them turn data into detections. The quantity and quality of the 
data is a close second; the higher the volume and the greater the variety of 
data available to the analyst, the more results they will find and the more 
effective they will be as a hunter. Lastly, the tools used to analyze the data help 
shape an organization’s hunting techniques and develop a hunting style suited 
to its environment. Next, let’s examine each level in greater detail. 

Level 0 
HM0 is the Initial Level. At this level, an organization primarily relies on 
automated alerting tools such as an IDS, SIEM platform or antivirus to detect 
malicious activity across the enterprise. At this stage, signature-based 
detection updates and threat intelligence feeds are often incorporated. 
Organizations may even create their own signatures or indicators, though 
these are exclusively for use with automated monitoring systems. 

At this level, human effort and involvement is typically devoted to alert 

resolution, without collecting much information from the organization’s IT 
systems. As a result, analysts’ ability to proactively hunt for threats is 
extremely limited. 

  

 
5 
The Threat Hunting Maturity Model 
 
 

Level 0 in DNIF 

This query fetches the last successful login time for each user: 

_fetch * ​from​ event where ​$Duration​=24h ​AND

$SubSystem​=AUTHENTICATION ​AND​ ​$Action​=LOGIN ​AND
$Status​=PASSED​ group ​stat_unique ​$User​ max ​$SystemTstamp
limit 100 
 
Here, we create a new field by adding 30 days to the last login time of each 
user: 

>>​_field $d_time time_delta $stat_unique_max + ​30​d 

 
We then store the result of the previous query in a new ‘user_last_login’ profile. 
This query is executed only once to create a profile and store the details of 
each user’s most recent login: 

>>​_store in_disk user_last_login stack_replace 

  

After creating the profile, this query will update the database with data from 
new logins when they occur: 

>>​_store in_disk user_last_login key_replace $User 

 
This query shows the store created from the previous queries: 

>>​_retrieve user_last_login 
 

 
6 
The Threat Hunting Maturity Model 
 
 

In the following query, we fetch the details of users that have logged in in the 
last 24 hours. We then check if the value of ​$SystemTstamp​ for each login 
event exceeds the value of $d_time for the users in the store. If it does, an alert 
is generated.

_fetch * ​from​ event where ​$Duration​=24h ​AND

$SubSystem​=AUTHENTICATION ​AND​ ​$Action​=LOGIN ​AND
$Status​=PASSED​ group ​stat_unique ​$User​ max ​$SystemTstamp
limit 100
>>_checkif lookup user_last_login join ​$User​ = ​$User
dt_compare ​$SystemTstamp​ > ​$d_time​ include
>>_raise module ueba dormant_user_login ​$User​ 4 12h 
 

 
7 
The Threat Hunting Maturity Model 
 
 

Level 1 
The next level, HM1, is known as the Minimal Level. This is the first level in 
which any type of hunting is performed. At this level, an organization still relies 
primarily on automated alerting — but here, staff at least routinely collect some 
IT data from around the enterprise and store it in a central location, such as the 
database of a SIEM platform or some other log management tool. Analysts in 
the organization base their detection decisions largely upon the available 
threat intelligence. 

Organizations at this level tend to track the latest threat reports from a 
combination of open and closed sources. Analysts are then able to extract key 
indicators from these reports and search the data to identify if the threats 
detected have been observed recently. 

 
8 
The Threat Hunting Maturity Model 
 
 

Level 1 in DNIF 

The following query fetches data for the last 24 hours from a firewall, where 
the firewall is communicating with a destination IP suspected to be malicious 
based on available threat intelligence. If the firewall blocked the 
communication, an alert is generated for suspicious network traffic. 

_fetch * ​from​ event where ​$LogType​=FIREWALL ​AND

$Duration​=24h ​AND​ ​$ViolationField​=DESTINATION ​AND
$Intel​=​True​ ​AND​ ​$ActionTaken​=blocked​ group ​count_unique
$DstIP​ limit 100
>>_raise module threat_intel malicious_communication_blocked
$DstIP​ 4 12h 
 

 
 

 
9 
The Threat Hunting Maturity Model 
 
 

Level 2 
HM2 is the Procedural Level. Organizations at this level regularly learn about 
and apply procedures developed by others, and may make minor changes to 
them. The focus here is on applying specific analysis techniques to a given 
type of input data in order to discover a particular kind of malicious activity. At 
this level, though, organizations are not yet capable of creating new 
procedures for themselves. 

Organizations at HM2 collect large amounts of data throughout their 

environments. This level is the most common level of capability among 
organizations with active threat hunting programs. 

Level 2 in DNIF 
An event store named domains is created, including all malicious domains that 
devices in the network have communicated with. The sequence of queries 
below fetches a domain from the event store and runs a DomainTools lookup 
using the get_parsed_whois function. The query on line 3 checks for results 
with 404 response codes and excludes them from the final result set. 

 
10 
The Threat Hunting Maturity Model 
 
 

With _field, we create a new field called $CurrentDate to store the current date 
for each of these domains. We then create another field named $DomainAge 
that calculates the difference between the date when the domain was created 
and the current date. 

_fetch * from domains limit ​1

>>​_lookup domaintools get_parsed_whois $Domain
>>​_checkif int_compare $DTResponseCode = ​404​ exclude
>>​_field $Currentdate time_delta @now + 0d
>>​_field $DomainAge diff_day $Currentdate, $DTCreatedDate 
 
You can then raise an alert when a “young” domain is detected. 

Level 3 
HM3 is the Innovative Level. Organizations at this level have at least a few 
hunters with knowledge of a variety of data analysis techniques, and the ability 
to apply them to identify malicious activity. At this level, organizations create 
and publish their own procedures instead of relying on those developed by 

 
11 
The Threat Hunting Maturity Model 
 
 

others. The key at this stage is for analysts to apply these procedures and 
make them repeatable, so they can be performed frequently. 

HM3 organizations can be very effective at detecting and combating the 

activities of threat actors. However, as the number of procedures they’ve 
developed increases over time, they may face scalability issues in attempting 
to perform all of these procedures on a reasonable schedule without 
increasing the number of analysts available to perform them. 

Level 3 in DNIF 

With DNIF you can set a baseline for each user’s activities based on their daily 
behaviour. You can check the history of each activity of individual users from 
the dashboard. Based on the user’s usual behaviour and how much deviation 
there is from previous actions, you can also set a severity score, to raise an 
alert for each activity. 

 
12 
The Threat Hunting Maturity Model 
 
 

 
13 
The Threat Hunting Maturity Model 
 
 

Level 4 
The final level, HM4, is the Leading Level. HM4 is similar to HM3, but with one 
big difference: automation. At this level, any hunting process that proves to be 
successful will be operationalized and turned into an automated detection 
strategy. This frees analysts from the burden of manually running the same 
process over and over, allowing them to concentrate on improving existing 
processes or creating new ones instead. 

 
14 
The Threat Hunting Maturity Model 
 
 

Level 4 in DNIF 

The hunting processes that were found to be successful in the previous level 
can be automated and scheduled to run at regular intervals. 

Considering the query in level 2, we can automate by scheduling a ​cron​. Since 

this query fetches data of the last 24 hours, we can schedule a cron for this 
query to run on a daily basis as follows: 

_fetch * ​from​ event where ​$LogType​=FIREWALL ​AND

$Duration​=24h ​AND​ ​$ViolationField​=DESTINATION ​AND
$Intel​=​True​ ​AND​ ​$ActionTaken​=blocked​ group ​count_unique
$DstIP​ limit 100
>>_raise module threat_intel malicious_communication_blocked
$DstIP​ 4 12h 
 
Cron: 0 * * * * 

Businesses have been trying for years to find the best, most efficient way to 
detect threats and shut them down before they happen — but none of this 
matters if a business does it incorrectly. Incorrect information within threat 
hunting can’t help a business succeed, and is liable to do the opposite. Threat 
hunting is all about piecing together different sources of data to build a picture 
of future attacks. 

The maturity model can be used as a resource to help businesses take the 
time to fully understand threat hunting. In order to help reduce the pains 
commonly associated with developing a hunting program, using the HMM as a 
foundation for a business’s hunting capabilities can allow that business to 
more efficiently work its way through the levels it takes to grow threat hunting 
capabilities organically. 

 
15 
The Threat Hunting Maturity Model 
 
 

   

 
16 
The Threat Hunting Maturity Model 
 
 

About DNIF 

DNIF is a first-of-its-kind NextGen SIEM with multi capabilities like UEBA, Log 
Management, SOAR, Security Analytics and Threat Intelligence, all bundled up 
together onto a single platform to bring in process efficiency, better 
manageability and reduced risks. 

​ ttps://dnif.it  
WEB​ h

EMAIL​ ​hello@dnif.it 

​ 1 888 664 8420 (USA) | 1800 123 3643 (INDIA) 

TOLL FREE​ +

USA  INDIA 
2570 N. First Street 2nd Floor, San Jose,  2nd Floor, Reliable House, KanjurMarg 
CA 95131, USA  (w), Mumbai 400078, IN 

 
 

To arrange a demo of DNIF or to speak with one of our security 

architects to see how our platform would be helpful for your 
organization, please contact us at h
​ ello@dnif.it 

 
© 2018 NETMONASTERY NSPL. All rights reserved. NETMONASTERY, DNIF, DQL, The “OPEN” Big Data Analytics Platform are 
trademarks or registered trademarks of NETMONASTERY NSPL and/or its affiliates in the INDIA, and/or US and other countries. 
The title image is a photo by ​Cayetano Gil​ on U
​ nsplash​ and is used with full credit to the owner. 

 
17