Certified Incident Handler (ECIH) — Question 21

Mark, a security analyst, was tasked with performing threat hunting to detect imminent threats in an organization's network. He generated a hypothesis based on the observations in the initial step and started the threat hunting process using existing data collected from DNS and proxy logs.
Identify the type of threat hunting method employed by Mark in the above scenario.

Answer options

• A. Entity-driven hunting
• B. TTP-driven hunting
• C. Data-driven hunting
• D. Hybrid hunting

Correct answer: C

Explanation

The correct answer is C, Data-driven hunting, as Mark is utilizing existing data from DNS and proxy logs to guide his threat hunting process. Options A (Entity-driven hunting) and B (TTP-driven hunting) focus on specific entities or tactics, techniques, and procedures, which are not the basis of Mark's approach. D (Hybrid hunting) combines various methods but does not specifically apply here as Mark is primarily relying on data.