Cyber threat intelligence isn't limited to analyzing and understanding what has already happened. Instead, organizations seeking to maximize the value of threat intelligence should consider ways to get ahead of their adversaries -- to include their capabilities and infrastructure -- before being targeted. This presentation will cover general best practices for infrastructure research and hunting, with a focus on exploiting adversary registration and hosting tactics to proactively identify related infrastructure. Beyond singular WHOIS pivots, we'll examine the confluence of characteristics and tactics inherent to infrastructure that can assist our hunting efforts, especially when encountering privacy or GDPR protected records. Finally, we will also examine a specific application of these practices focused on Wizard Spider / UNC1878 / Ryuk.