Alexis Kestler
Threat hunting is one of the most important emerging disciplines in cybersecurity. As organizations embrace digital transformation, their attack surfaces expand exponentially. Preventive security tools alone can‘t keep up with rapidly evolving threats. Proactively hunting for malicious activity within infrastructure has become critical.
In this comprehensive 2500+ word guide, we’ll cover everything technology and security leaders need to know to implement effective threat hunting.
What Exactly is Threat Hunting?
Threat hunting is the practice of proactively and iteratively searching through networks, endpoints, logs, and datasets to detect advanced threats that evaded existing security solutions.
The goal is to find evidence of compromise, vulnerabilities, and attacker behaviors before they lead to damaging data breaches. Security analysts operate under the assumption that systems are already compromised and diligently investigate to surface risks.
Threat hunting combines human intuition, creativity, and analytical skills with data science techniques and threat intelligence to uncover:
- Ongoing attacks like APTs and malware infections
- Backdoors and unauthorized lateral movement
- Insider threats and account misuse
- Early stages of an attack before payloads deploy
- Signals of data staging and exfiltration
The term “threat hunting” was coined in 2012 by threat researchers at the security firm Mandiant, now part of FireEye. It gained popularity as organizations realized that focusing solely on prevention was insufficient in the face of rapidly evolving attacker tradecraft.
Threat hunting recognizes that given enough time and resources, motivated attackers will eventually find ways to bypass perimeter defenses. Getting ahead of these threats requires continuous investigation within infrastructure to surface risks in their early stages, before material damage is done.
Key Benefits of Threat Hunting
Threat hunting strengthens enterprise security posture in many important ways:
Earlier Threat Detection Reduces Breach Impact
The earlier malicious activity is detected, the less data can be exfiltrated and fewer systems compromised. Skilled threat hunters identify threats missed by preventive systems and find attackers who’ve evaded detection. Prompt discovery provides opportunity to neutralize attacks before they escalate.
According to IBM’s 2020 Cost of a Data Breach Report, companies who identified a breach through threat hunting or vulnerability scanning reduced breach costs by over $1 million on average compared to those relying on traditional anti-virus solutions.
Catches Unknown and Emerging Threats
Automated security tools rely on rules and signatures to catch known threats. Threat hunters leverage human judgement, creativity, and intuition to uncover novel indicators of compromise and threats never seen before. This focus on finding the unknown allows organizations to keep pace with rapidly evolving attacker tradecraft.
Builds Familiarity with Environments
Threat hunting exercises force analysts to deeply analyse and understand what’s normal vs. abnormal in environments. This translates into faster response and more informed decisions when security incidents do occur.
Keeps Security Teams Engaged and Skilled
Proactive threat hunting requires security teams to continuously hone skills and stay up-to-date on attacker tactics, techniques and procedures (TTPs) seen in the wild. Organizations that prioritize hunting avoid complacency and keep talent sharp.
According to SANS analyst Mathieu Thiemard, “Threat hunting develops most of the skills you need for cyber defense, such as knowledge of attacker tactics, capability to analyze masses of security events, understanding of system behaviors, and rapid response skills."
Develops Tribal Knowledge
Threat intelligence and insights gained from hunting exercises create institutional memory that benefits the entire organization. Applied learnings allow security programs to mature.
Cost Effective Risk Reduction
Threat hunting provides outsized risk reduction per dollar versus buying the latest shiny security product. Investing in skilled talent to find threats early pays dividends.
How Threat Hunting Differs from Traditional Security
Threat hunting stands in stark contrast to traditional reactive security measures:
| Traditional Security | Threat Hunting |
| Reactive and passive | Proactive and continuous |
| Relies on alerts and predefined rules | Leverages human intuition and analysis |
| Looks for known threats | Seeks out unknown threats |
| Responds to incidents | Constantly investigates to surface risks |
| Rigid and predictable | Creative and adaptable |
While traditional security tools still play an important role, organizations require threat hunting capabilities to surface risks that evade preventive systems.
Threat Hunting vs. Threat Intelligence
Threat intelligence and threat hunting are complementary disciplines but have some distinct differences:
Threat Intelligence involves collecting and analyzing data on known adversaries to understand their motives, capabilities, and behaviors. This external information feeds defense strategies and policies.
Threat Hunting is an internal process focused on uncovering risks and abnormalities specific to your own environment. The goal is validation, not just data enrichment.
Threat intelligence delivers strategic insights into the overall threat landscape, while hunting aims to uncover threats that made it past security defenses. TI informs threat hunting efforts by providing data on new attacker TTPs to investigate.
Organizations optimize outcomes by blending threat intelligence gathering with continuous threat hunting. According to Gartner, “Threat hunting augmented by external threat intelligence will be necessary to mitigate 82% of breaches by 2022."
Types of Threat Hunting
Threat hunting is conducted in various forms depending on hypotheses, infrastructure visibility, and available data sources. Common hunting approaches include:
Indicator-Based Hunting – Searching for specific IOCs like file hashes, domain names, and IP addresses linked to known bad actors based on threat intelligence. Starting with strict IOCs provides a targeted hunt.
Behavior-Based Hunting – Looking for anomalies and outliers in system or user behaviors that deviate from baselines. Example: unusual privileged account activities, traffic spikes, and DNS request anomalies.
Perimeter Hunting – Analyzing perimeter systems like VPN concentrators, proxies, firewalls, and DNS resolvers for evidence of compromise like command and control communications.
Host Hunting – Inspecting servers, workstations, and other endpoints for indicators of compromise like suspicious registry edits, new services, odd process behaviors, and local malware.
Network Hunting – Digging into network metadata and traffic like volumes, flows, and connection patterns to uncover hidden C2 channels, lateral movement, or data exfiltration.
Cloud Hunting – Scouring cloud configuration data, network traffic, audit logs, and API calls to identify misuse, crypto mining, data compromises, and policy violations.
Vulnerability Hunting – Proactively identifying unpatched systems, misconfigurations, risky permissions, and open ports that could be exploited by attackers.
Vertical Hunting – Focusing threat hunting on high-risk data sets like HR systems, financial records, and intellectual property.
The most effective programs incorporate continuous hunting across all infrastructure domains to find both known and novel threats.
Inside the Threat Hunting Process
Orchestrating an effective threat hunt involves thoughtful planning, collaboration across teams, and a methodical workflow. Key stages include:
Hypothesis Development
Hunts begin with development of hypotheses around potential compromises, guided by risk assessments, threat intel, vulnerability data, and known attacker TTPs. Hypotheses aim to flush out intruders, backdoors, data theft activity, and other threats.
Data Collection and ingestion
Security analysts aggregate and ingest data from diverse sources like SIEM logs, endpoint telemetry, packet captures, DNS records, IDS alerts, etc. Machine data is normalized and enriched as needed.
Data Processing and Analytics
Using data science techniques like statistical analysis, visualization, machine learning, and AI, the assembled datasets are queried and analyzed to identify abnormal, suspicious, or outlier events.
Threat Investigation and Pivoting
Anomalies and high-risk events are investigated manually to determine if they represent true compromises or false positives. Additional data may be pulled in for pivoting during this stage until a determination can be made.
Neutralization and Containment
Validated indicators of compromise then initiate incident response procedures like isolating affected systems, resetting credentials, eradicating malware, and implementing filters to prevent further attack activities.
Documentation and Reporting
All activities and findings are documented in a hunt report that captures new insights into the environment as well as recommendations to improve defenses against discovered threats.
Improving Hunt Hypotheses
By analyzing findings from preceding hunts and incorporating new threat intelligence, security teams refine hypotheses and hunting approaches to maximize detections of advanced threats.
With practice, organizations settle into a consistent threat hunting rhythm that continuously surfaces risks and compromises before they escalate into breaches.
Building a Threat Hunting Program
Developing an impactful threat hunting program presents challenges but pays major dividends in risk reduction. Key steps include:
Secure Executive Buy-In
Because threat hunting focuses on risks that have bypassed preventive controls, some executives view it as highlighting failures in existing security programs. Position threat hunting as a vital capability that strengthens overall security. Provide metrics showing early threat detection and rapid response.
Create a Dedicated Hunt Team
Staff the team with senior security analysts, threat researchers, and data scientists with the skills to deeply investigate systems using data analytics, programming, statistics, visualization, and machine learning techniques.
Develop Hunting Hypotheses
Start threat hunts based on known high-risk attack tactics, anomalies from previous hunts, threat intelligence, vulnerability data, and security expertise within your organization.
Establish a Data Pipeline
Ingest endpoint, system, network, user, and application data from diverse silos into an analytics platform like a SIEM or data lake. Normalize data for efficient hunting queries.
Allocate Resources for Tools and Storage
Threat hunting is resource intensive, requiring ample data storage, computing power, and advanced analytics tools. Work with IT to ensure hardware availability meets program needs.
Create Threat Hunting Playbooks
Playbooks capture institutional knowledge and provide a framework for common hunting procedures. Cover processes end-to-end from data ingestion to threat neutralization.
Enable Collaboration Between Teams
Break down silos between threat intelligence, incident response, SOC, security engineering, IT and other groups. Sync regularly to maximize knowledge sharing.
Develop Threat Hunter Expertise
Support continuous skill building through hands-on hunting, training on analytics tools, conferences, certifications, and sharing lessons learned across the team.
Report Hunt Outcomes to Leadership
Document anomalies found, steps taken for remediation, and metrics like dwell time reductions. Highlight program successes to maintain executive support.
With the right organizational foundation, threat hunting programs deliver high ROI in the form of reduced breach risk through early threat detection.
Overcoming Common Threat Hunting Challenges
Developing capable threat hunting capabilities presents a variety of challenges:
Skillset Shortages – Organizations struggle to recruit security professionals possessing the specialized data science, analytics, programming and detection skills required for hunting. Invest in training programs to build expertise.
Data Sufficiency – Network and system visibility gaps will obstruct threat hunts. Carefully evaluate monitoring completeness across infrastructure and remediate blindspots.
Compliance Risks – Threat hunting programs must operate lawfully and avoid breaching data privacy regulations. Involve legal/compliance teams in hunt planning.
Proving Value – Quantifying threat hunting efficacy is difficult. Track metrics over time like dwell time reductions, systems secured, and intel gained to showcase program ROI.
Resource Constraints – Threat hunting demands significant compute, storage and personnel resources. Start small with pilots and grow capabilities over time.
False Positives – Anomalies must be thoroughly investigated to avoid flagging benign activities as threats. Analyst experience reduces false positives over time.
Staying Current – Adversaries rapidly change tactics. Continually tune hunting hypotheses by consuming new threat research, intel feeds, and tool updates.
With Executive awareness of these challenges, organizations can take steps to mature hunting programs over time.
Threat Hunting Tools and Techniques
Threat hunters leverage a wide range of open source and commercial tools:
SIEM – Security Information and Event Management tools like Splunk, IBM QRadar, and Exabeam ingest and correlate diverse security data needed for threat hunts.
EDR – Endpoint Detection and Response tools like CarbonBlack, CrowdStrike, and Cybereason provide visibility into suspicious process behaviors, file changes, and other endpoint IOCs.
IDS/IPS – Intrusion Detection and Prevention Systems like Snort and Suricata analyze network traffic for exploits, C2 channels, and other network-borne threats.
Packet Analysis – Packet capture tools like Wireshark help analyze network traffic for anomalies and uncover malware phoning home.
Forensics – Disk forensics tools uncover malware remnants, suspicious user activities, and other artifacts useful for pivoting during hunts.
Threat Intelligence Platforms – Solutions like Anomali and ThreatQuotient provide threat data to inform hypothesis development and hunt scoping.
Visualization – Solutions like Splunk’s CIM models visualize hunt data to spot anomalies through human pattern recognition.
Statistical Analysis – Statistical tests identify significant deviations from normal activity baselines that may represent threats.
Machine Learning – Algorithms can model baseline behaviors to automatically surface abnormal events for human investigation.
With the right toolkit and skills, threat hunters can deeply investigate systems and surface subtle indicators of compromise.
Threat Hunting Career Paths
Threat hunting requires a unique blend of analytical, technical, and communication skills. Typical career paths include:
Security Analysts – Strong hunters often emerge from security operations centers and existing incident response teams. Analysts possess knowledge of environments and defender perspectives.
Data Scientists – Professionals skilled in data analytics, statistics, visualization, and machine learning bring critical abilities to query large datasets and surface abnormalities.
Malware Analysts – Deep malware expertise aids hunters in identifying C2 traffic, infected hosts, and advanced adversary tradecraft.
Offensive Security Engineers – Knowledge of attack methods translate well into hunting hypotheses centered on attacker behaviors.
Threat Researchers – Keeping pace with the latest adversary tactics and tools allows hunters to know what to look for within environments.
SOC Managers – Leadership skills in orchestrating teams, workflows and technologies are critical for threat hunting program success.
Strong communication abilities are also vital for distilling complex technical threat scenarios into actionable insights for business leaders.
Limitations of Threat Hunting
While extremely beneficial, threat hunting has some limitations:
-
Threat hunting finds threats that made it past perimeter defenses but does not replace the need for strong preventive security like next-gen firewalls, endpoint protection, and access controls.
-
Hunting is staff intensive. Automated analytics should be leveraged to improve productivity where possible.
-
Hunts are only as effective as visibility/data allows. Environments with major monitoring gaps obstruct hunting efforts.
-
Compliance and legal concerns may restrict the type of data that can be utilized for threat hunting. Policy controls are required.
-
Threat hunting focuses on known and potential risks but cannot catch unknown unknowns. Creative thinking is key.
-
Organizations must weigh costs of threat hunting programs vs. other beneficial security investments.
Threat hunting works best alongside other core security capabilities as part of a defense-in-depth strategy.
Conclusion
As high-impact breaches continue to ravage both public and private sector organizations, business leaders are recognizing the need to get ahead of threats before they escalate into crises. Threat hunting provides a powerful set of capabilities purpose-built to uncover malicious activity that slips past perimeter defenses.
By taking a continuous, hypothesis-driven approach to uncovering risks across the environment, dedicated hunt teams and orchestrate security operations centers can shrink the window of opportunity for attackers. Early discovery allows organizations to contain emerging threats before data exfiltration and collateral damage occurs.
However, developing an effective threat hunting program presents challenges ranging from budget constraints, talent gaps, data sufficiency, and proof-of-value. Organizations must carefully assess existing capabilities and invest in specialized data science, analytics, and threat research skills to reap the benefits of proactive hunting.
With adequate executive awareness and support, threat hunting programs deliver high return on investment by keeping security teams engaged, skills sharp, and organizations secure against emerging threats.
