We have a blog! Check out MITRE Shield on Medium.

Hunting

The process of searching for the presence of or information about an adversary.

Typically the search is informed by intelligence on adversary TTPs and infrastructure. Within the defender's environments, hunting presupposes a failure of initial prevention or detection, and that an adversary has successfully penetrated a system. In this case defenders hunt for the presence of an adversary. Defenders also hunt adversaries outside the defended environment. Information about the adversary, including their skills, TTPs, and infrastructure can be used to improve defenses or promote better adversary engagement.

Details
ID: DTE0021
Tactics:  Detect

Opportunities

IDDescription
DOS0245 If you can determine how an adversary is dynamically resolving command and control (C2) addresses, there is an opportunity to use that information to identify additional adversary infrastructure or tools.

Use Cases

IDDescription
DUC0245 A defender can use information about how an identified dynamic resolution works to hunt for previously undetected adversary resolutions that work in the same manner.

Procedures

IDDescription
DPR0039 Pivot on Command and Control information to identify other infrastructure used by the same adversary.
DPR0065 Use information about an adversary's TTPs to perform retroactive searches for any activity that have gone undetected.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1568 Dynamic Resolution Command and Control