Threat Hunting

Threat hunting is the proactive, human-driven practice of searching through networks, endpoints, and datasets to detect and isolate advanced threats that have evaded existing automated security solutions.

What Is Threat Hunting?

Rather than waiting for alerts from security tools, threat hunters actively search for indicators of compromise (IOCs), anomalous behavior, and signs of adversary presence. This hypothesis-driven approach assumes that attackers are already present and seeks to find evidence of their activity.

Threat Hunting Approaches

Hypothesis-Driven Hunting

Starting with a threat intelligence-driven hypothesis (e.g., "APT29 uses this specific technique for persistence") and then searching for evidence in the environment.

Data-Driven Hunting

Analyzing large datasets for anomalies, outliers, or patterns that may indicate malicious activity without a specific hypothesis.

Intelligence-Driven Hunting

Using threat intelligence reports, IOCs, and TTPs to search for known adversary indicators in the environment.

The Hunting Process

1. Hypothesis Creation: Develop a testable hypothesis based on threat intelligence or anomaly observations
2. Data Collection: Gather relevant telemetry from endpoints, networks, and cloud environments
3. Analysis: Query and analyze data using tools like SIEM, EDR, or custom scripts
4. Investigation: Follow up on findings to determine scope and impact
5. Response: Escalate confirmed threats for incident response
6. Enrichment: Update detection rules and threat intelligence based on findings

Skills Required

• Deep understanding of operating systems and network protocols
• Knowledge of adversary TTPs and MITRE ATT&CK
• Proficiency with query languages (KQL, SPL, SQL)
• Analytical thinking and pattern recognition
• Familiarity with threat intelligence sources

Hunting Maturity Levels

Related Terms

• Threat Intelligence
• Detection Engineering
• Incident Response