What is threat hunting?

Instead of simply reacting to cyber attacks from a defensive posture, many organizations go on the offensive with threat hunting. Defined as systematically searching for unknown and undetected threats, threat hunting takes a proactive approach. Whether conducted by humans, automated systems or a combination, this process aims to uncover suspicious or malicious actors and activities that may have evaded security controls like firewalls or intrusion detection systems.

At a macro level, threat hunting is valuable because it helps organizations uncover and mitigate threats that may escape detection by other methods, enabling them to persist for long periods. According to IBM’s Cost of a Data Breach Report 2024, the data breach life cycle takes an average of 258 days. Threat hunting can disrupt this cycle and prevent cybercriminals from establishing a foothold in your network.

Several trends are increasing the importance of threat hunting to enterprise security.

• The rise of generative artificial intelligence (AI) makes it easier for less-skilled cyber adversaries to conduct complex attacks.
• A steady increase in the speed and intensity of cyber attacks allows them to outpace traditional security tools, calling for proactive measures to get ahead of threat actors.
• The rise of identities as the new perimeter has led to new attacker techniques, including creating email forwarding rules in compromised accounts, using email rules to hide inbound emails like security alerts, and abusing cloud accounts.
• Cloud migration is another factor: the IBM report found that about 40 percent of all breaches involved data distributed across multiple environments, such as public and private clouds.

Threat hunting is also useful in preventing zero-day attacks that exploit known software vulnerabilities before the vendor or the user community learns about them.

The hunting process does more than uncover threats – it also gives security analysts a more comprehensive picture of the organization’s security posture and the tactics, techniques, and procedures (TTPs) used by attackers. Information revealed by hunting can enhance threat intelligence and improve threat mitigation efforts.

Traditional threat hunting was a manual process that required security analysts to evaluate data based on their knowledge of the organization’s network and systems, and then formulate assumptions about potential threats. Since then, automation, machine learning, and user and entity behavior analytics (UEBA) have been adopted to augment and enhance human skills and insights.

Threat hunting often follows a framework or methodology. Examples are the Sqrrl Threat Hunting Reference Model, Targeted Hunting Integrating Threat Intelligence (TaHiTI), and Prepare, Execute & Act with Knowledge (PEAK).

Many threat hunting methodologies involve these steps:

Before the hunt

• Hypothesis: Make an educated guess about possible threats that may exist in the environment and how to track them down. Hypotheses can be based on intelligence about current and evolving threats and past attacks involving similar organizations, industries, or scenarios. Other hypotheses use situational awareness and existing information about the environment, or rely on models, frameworks, and artificial intelligence (AI) information.
• Threat modeling: Understand what data and signals are most necessary to detect the hypothesized threat and create a model that informs what types of data you will collect and analyze.
• Data collection: Gather and process data from sources such as SIEM software, threat intelligence feeds, and endpoints.

During the hunt

• Trigger: Start the hunt after identifying specific indicators of compromise (IOCs) that support the initial hypothesis.
• Investigation: Correlate and analyze the collected data using manual techniques, tool-based workflows, or analytics. The goal is to uncover specific patterns or anomalies supporting the hypothesis.
  • For example, analysts may identify patterns of data exfiltration or lateral movement that could indicate the presence of an attacker.
  • Alternatively, the investigation can also rule out the hypothesis, which is equally valuable.

After the hunt

• Response and resolution: If the hunters detect a breach, the incident response team should remediate the issue. If they find any vulnerabilities, the security team should fix them.
• Post-mortem: Once the breach or vulnerability has been addressed, it’s important to conduct an analysis of why existing security measures did not detect the threat and how to prevent similar incidents in the future.

Threat hunting can be divided into several categories based on the approach chosen by the hunt team.

• Structured hunting, which begins with a well-defined hypothesis and follows a systematic procedure or playbook, is methodical and yields measurable results.
• In contrast, unstructured hunting is less constrained. Hunters are free to follow their instincts or hunches and explore many different avenues. While the structured approach is regimented and repeatable, the unstructured hunt is creative, free-form, and open ended.
• Situational (entity-driven) threat hunting looks for vulnerabilities and risks involving specific systems, assets, accounts, and data. It is a customized approach tailored to the individual enterprise. Threat intelligence-based hunting is guided by information on current trends, attacker TTPs, or intelligence about a particular threat.

• Intel-based hunting analyzes threat intelligence sources regarding current trends, attacker TTPs, or intelligence about a particular threat. Relevant IOCs and indicators of attack (IOAs) are used as triggers to initiate an investigation into malicious activity.
• Hypothesis-driven hunting aligns with the MITRE ATT&CK framework and is usually triggered by a newly identified threat. Based on this new information, threat hunters analyze data from their own environments for any indications that the threat is present.
• Custom hunts are based on specific needs and conditions, whether requirements from customers, geopolitical issues affecting the company, or targeted attacks against industry peers. Custom hunting combines features from intel-driven and hypothesis-based models and uses IOA and IOC data.

Tools used by hunt teams are often already part of the security stack:

1. SIEM: Security information and event management solutions provide real-time analysis of security threats and offer tracking and logging of security data.
2. EDR/XDR: Endpoint detection and response tools give threat hunters visibility into endpoint activities. These solutions aggregate and correlate data from servers, virtual machines, mobile devices, workstations and more to help identify anomalies. Extended detection and response solutions are more comprehensive, collecting data from across multiple security domains such as networks, cloud workloads, identity management systems, and email protection systems.
3. Security monitoring: Firewalls, antivirus software, intrusion detection systems (IDS), and endpoint security solutions provide real-time monitoring of events and activities and raise red flags.
4. MDR: Managed detection and response systems, which look for threats through continuous monitoring of networks and systems, can complement and enhance human hunting activities.
5. Generative AI: A newer application, generative AI models are often used by security teams to rapidly ingest structured data (e.g., firewall or IAM logs) and present key information in a human-readable format.

The terms threat hunting and threat intelligence are often used interchangeably. This common misconception is reinforced by the fact that they typically work hand-in-hand to bolster cybersecurity programs. However, threat hunting and threat intelligence differ in a number of ways.

Approach

• Active vs. reactive: Threat hunting takes a proactive approach by looking for threats that are hiding in the IT environment or are not covered by the existing security stack. Threat intelligence is more passive because the focus is on understanding the threat landscape to inform future action.
• Search vs. analysis: Threat hunters seek out their quarry within the network and IT systems to uncover and deal with threats, while threat intelligence is focused on gathering and evaluating information to guide security preparation and defense.

Objective

• Active threats vs. security strategy: The ultimate goal of a hunt is to find and stop cybercriminals who have infiltrated the IT environment, while threat intelligence aims to inform and direct security teams in their plans and activities.

Process

• Human skills vs. data quality: A hunter’s skills, expertise, creativity, and understanding of systems, applications, networks, and user behavior are essential. Threat intelligence depends on the quality, relevance, and timeliness of data, as well as analytical and correlation capabilities.
• Internal vs. external data: A threat hunter finds and highlights net-new data about internal security, while a threat intelligence expert pieces together multiple external sources of data to create a big picture of the threat landscape.

Regardless of these differences, threat hunters often rely on threat intelligence to prepare for and guide the hunt, making it more precise. Further, when new internal data generated by a hunt is combined with threat intelligence, security teams can use these two sources to make better-informed decisions.

Effective threat hunting depends on many factors, including support from senior management, advance planning, and the right data, tools, and relationships.

Corporate commitment

While threat hunting may take a back seat to other security activities because it is proactive and does not involve known, active, threats, it is vital for uncovering advanced and unknown threats that could harm the organization. When leaders agree to dedicate internal staff and resources specifically to hunting–or to outsource hunting activity to external experts–the investment can pay big dividends.

Preparation

One key to a successful hunt is to identify the baseline by determining what is normal, expected behavior for your organization’s systems, business processes, and users. This baseline makes it easier to spot anomalies. Normal behavior can encompass communication flows, user rights, and business practices.

It’s also crucial to define your objective according to your organization’s needs and situation. Your hunters may be looking for insider threats or advanced persistent threats, or simply seeking to reveal unknown threats.

Tactics

Hunters must collect and analyze current and relevant data from across the IT environment, such as network activity and traffic, user behavior analytics, and logs from endpoints and security devices.

They also leverage existing tools to make the job easier. Your hunt team may need assistance from security and IT experts. With training, threat hunters can take advantage of the organization’s security solutions—particularly automation—to expedite the process and ease the burden of manual data collection and analysis.

Adopting the mindset of a cybercriminal helps hunters spot vulnerabilities and weaknesses in the environment. One way to think like a threat actor is by attempting to anticipate their view of your organization and IT infrastructure and what they hope to gain from an attack. Another is reviewing the latest threat intelligence to find out how adversaries are evading security measures.

Enhancements

A hunt’s value can be expanded through collaboration with your SOC, security, and vulnerability management teams. Sharing insights from the hunt with these teams can strengthen the organization’s overall security posture. In addition, applying lessons learned from each hunt supports continuous improvement. For instance, prior hunting experiences—good and bad–can help you fine-tune your hypotheses, refine your list of data sources, and tailor your threat intelligence so the next hunt is more efficient and yields better results.