Threat Hunting
Threat Hunting is the proactive and iterative search for cyber threats that have evaded automated security controls - turning reactive defense into an offensive strategy.
What is Threat Hunting?
Threat Hunting is the practice of proactively searching for indicators of compromise (IOCs) and malicious behavior across the network and endpoints, assuming that adversaries have already gotten past perimeter defenses. Unlike passive detection, hunters actively look for signs of adversary activity using hypotheses based on threat intelligence and knowledge of the environment.
Types of Threat Hunting
Hypothesis-Driven Hunting
Based on hypotheses about how adversaries may operate: "What if attackers are using Living-off-the-Land to evade detection?" The hunter develops a hypothesis and looks for evidence that confirms or refutes it.
Intelligence-Driven Hunting
Uses threat intelligence to search for TTPs, IOCs, and infrastructure associated with known APT groups. Example: searching for signs of Cobalt Strike after a report indicating its use by a specific group in the sector.
Baseline Hunting
Establishes a baseline of normal behavior and looks for statistical deviations. Example: identifying processes running from unusual locations or anomalous network connections.
Hunting Methodology
- Hypothesis: Formulate a question based on threat intelligence or risk analysis
- Investigation: Collect and analyze data using SIEM, EDR, logs, and forensic tools
- Discovery: Identify patterns, anomalies, or IOCs that validate the hypothesis
- Response: If a threat is confirmed, trigger incident response
- Documentation: Record findings and create automated detections
Hunting Tools
SIEM and Log Analysis
Splunk, ELK Stack, Azure Sentinel for complex queries across massive volumes of logs. KQL, SPL, and Lucene for advanced correlation.
EDR and Threat Intelligence
CrowdStrike Falcon, Microsoft Defender for Endpoint, Carbon Black for visibility into endpoints. MISP, ThreatConnect to contextualize IOCs.
Network Analysis
Zeek, Wireshark, NetworkMiner for traffic analysis and identification of hidden C2.
Common Adversary TTPs
- Living-off-the-Land: Use of legitimate tools (PowerShell, WMI, PsExec)
- Credential Dumping: Mimikatz, DCSync, LSASS dumping
- Lateral Movement: Pass-the-Hash, Pass-the-Ticket, RDP hijacking
- Persistence: Registry Run Keys, Scheduled Tasks, WMI Event Subscriptions
- Evasive C2: Domain fronting, DNS tunneling, HTTPS encrypted beacons
Hunting Frameworks
MITRE ATT&CK
An essential framework mapping adversary TTPs. Hunters use ATT&CK to develop hypotheses focused on specific tactics (Initial Access, Privilege Escalation, Exfiltration).
Cyber Kill Chain
A 7-phase model that helps hunters identify which stage of the chain an adversary is operating in and where to look for artifacts.
Examples of Hunting Hypotheses
- "Adversaries may be using obfuscated PowerShell to download payloads"
- "Attackers may have established persistence via Scheduled Tasks on Domain Controllers"
- "There may be data exfiltration via DNS tunneling to recently registered domains"
- "Lateral movement may be occurring via RDP from service accounts"
Threat Hunting KPIs
- Hunt Success Rate: Percentage of hunts that result in a real discovery
- Time to Discovery: Average time between compromise and detection via hunting
- New Detection Rules: Number of automated rules created after hunts
- False Positive Reduction: Improvement in the accuracy of existing detections
Best Practices
- Start hunts with clear, measurable hypotheses
- Prioritize hunts based on up-to-date threat intelligence
- Document all hunts, even those that found no threats
- Automate discoveries by creating detection rules
- Integrate hunting with the threat intelligence program
- Continuously train hunters on emerging TTPs
- Use MITRE ATT&CK to structure the hunting program
Final Recommendations
Threat Hunting transforms a security posture from reactive to proactive. Experienced hunters combine deep technical knowledge, contextualized threat intelligence, and creative thinking to uncover adversaries that automated tools miss. Investment in a mature hunting program drastically reduces dwell time and prevents critical compromises.
